ElfFile)AElfChnkg++g++ל/ެMu=VysMc&&** g+aS ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !XaSg+ F&F%g>9{p(xlMD EventDatauoData !BinaryEnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=af803b40-0606-4445-9157-9c01a6123a41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ad ** h+aS ]Ɋ&  !XaSh+ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=af803b40-0606-4445-9157-9c01a6123a41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n=4 ** i+aS ]Ɋ&  !XaSi+ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=af803b40-0606-4445-9157-9c01a6123a41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Id= ** j+aS ]Ɋ&  !XaSj+ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=af803b40-0606-4445-9157-9c01a6123a41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ame ** k+aS ]Ɋ&  !XaSk+ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=af803b40-0606-4445-9157-9c01a6123a41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** l+aS ]Ɋ& e !aSl+ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=af803b40-0606-4445-9157-9c01a6123a41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=29f5752b-da12-47b0-b99a-56cd0bc1ad0b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=18 ** m+qbS ]Ɋ& q !qbSm+ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=af803b40-0606-4445-9157-9c01a6123a41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=29f5752b-da12-47b0-b99a-56cd0bc1ad0b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s\Ne **n+qbS ]Ɋ& 7!XqbSn+ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d0227b71-4258-47c0-b5b1-6ef628d6bcc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**o+qbS ]Ɋ& O!XqbSo+ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d0227b71-4258-47c0-b5b1-6ef628d6bcc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**p+qbS ]Ɋ& K!XqbSp+ F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d0227b71-4258-47c0-b5b1-6ef628d6bcc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_.S**q+qbS ]Ɋ& C!XqbSq+ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d0227b71-4258-47c0-b5b1-6ef628d6bcc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Siz**r+qbS ]Ɋ& C!XqbSr+ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d0227b71-4258-47c0-b5b1-6ef628d6bcc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ice**s+qbS ]Ɋ& E!XqbSs+ F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d0227b71-4258-47c0-b5b1-6ef628d6bcc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== **@t+qbS ]Ɋ& !qbSt+ F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d0227b71-4258-47c0-b5b1-6ef628d6bcc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=afc15889-5aef-4033-a2cf-d41b0815945d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iz@**Pu+qbS ]Ɋ& !qbSu+ F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d0227b71-4258-47c0-b5b1-6ef628d6bcc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=afc15889-5aef-4033-a2cf-d41b0815945d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= SizP**Hv+4 S ]Ɋ& !X4 Sv+ F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a75d25c1-9b08-457c-a713-25d1afe66ea6 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=AH**`w+4 S ]Ɋ& !X4 Sw+ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a75d25c1-9b08-457c-a713-25d1afe66ea6 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r`**`x+4 S ]Ɋ& !X4 Sx+ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a75d25c1-9b08-457c-a713-25d1afe66ea6 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t -`**Xy+4 S ]Ɋ& !X4 Sy+ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a75d25c1-9b08-457c-a713-25d1afe66ea6 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nt X**Xz+4 S ]Ɋ& !X4 Sz+ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a75d25c1-9b08-457c-a713-25d1afe66ea6 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n $X**X{+4 S ]Ɋ& !X4 S{+ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a75d25c1-9b08-457c-a713-25d1afe66ea6 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GeX**|+4 S ]Ɋ& !4 S|+ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a75d25c1-9b08-457c-a713-25d1afe66ea6 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=fdcca45e-f91e-49f4-ba91-92d86d2861bc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**}+4 S ]Ɋ&  !4 S}+ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a75d25c1-9b08-457c-a713-25d1afe66ea6 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=fdcca45e-f91e-49f4-ba91-92d86d2861bc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=apte**X~+#*T ]Ɋ&  !X#*T~+ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=58c9e56a-2588-4ff4-857e-73af6262c7ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=enX**p+#*T ]Ɋ&  !X#*T+ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=58c9e56a-2588-4ff4-857e-73af6262c7ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($p**p+#*T ]Ɋ&  !X#*T+ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=58c9e56a-2588-4ff4-857e-73af6262c7ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= tryp**h+#*T ]Ɋ&  !X#*T+ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=58c9e56a-2588-4ff4-857e-73af6262c7ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Geth**h+#*T ]Ɋ&  !X#*T+ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=58c9e56a-2588-4ff4-857e-73af6262c7ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**h+#*T ]Ɋ&  !X#*T+ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=58c9e56a-2588-4ff4-857e-73af6262c7ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } h } #  ]Ɋ& In#*T+ F&ain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ostVersion=4 ]Ɋ& e XaSg+ F&exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= - 6 } | F ] ]Ɋ& XXFRH+ F& if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk++++ZMu=VysMc&&**+#*T ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !#*T+ F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=58c9e56a-2588-4ff4-857e-73af6262c7ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=01f86978-e7de-40a2-9349-a8fb169f789b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**+#*T ]Ɋ& !#*T+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=58c9e56a-2588-4ff4-857e-73af6262c7ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=01f86978-e7de-40a2-9349-a8fb169f789b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X+T ]Ɋ&  !XT+ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ae9b1703-15e8-4896-84d3-1bda876033ee HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=InX**p+T ]Ɋ&  !XT+ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ae9b1703-15e8-4896-84d3-1bda876033ee HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=inp**p+T ]Ɋ&  !XT+ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ae9b1703-15e8-4896-84d3-1bda876033ee HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} | p**h+T ]Ɋ&  !XT+ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ae9b1703-15e8-4896-84d3-1bda876033ee HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h+T ]Ɋ&  !XT+ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ae9b1703-15e8-4896-84d3-1bda876033ee HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Byph**h+T ]Ɋ&  !XT+ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ae9b1703-15e8-4896-84d3-1bda876033ee HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }h**+T ]Ɋ&  !T+ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ae9b1703-15e8-4896-84d3-1bda876033ee HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=b80eb769-50ae-4455-bffe-29e93e1c5486 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**+T ]Ɋ& !T+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ae9b1703-15e8-4896-84d3-1bda876033ee HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=b80eb769-50ae-4455-bffe-29e93e1c5486 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1** +T ]Ɋ& w !XT+ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5c76cbd3-5af3-4d02-b9bb-fdb1c5597463 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8+T ]Ɋ&  !XT+ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5c76cbd3-5af3-4d02-b9bb-fdb1c5597463 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n8**8+T ]Ɋ&  !XT+ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5c76cbd3-5af3-4d02-b9bb-fdb1c5597463 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine="SI8**0+T ]Ɋ&  !XT+ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5c76cbd3-5af3-4d02-b9bb-fdb1c5597463 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=jec0**0+T ]Ɋ&  !XT+ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5c76cbd3-5af3-4d02-b9bb-fdb1c5597463 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$($0**0+T ]Ɋ&  !XT+ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5c76cbd3-5af3-4d02-b9bb-fdb1c5597463 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Wr0**+T ]Ɋ&  !T+ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5c76cbd3-5af3-4d02-b9bb-fdb1c5597463 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5a99dd12-04aa-499c-a196-dbccb86244f8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -d $_.LinkLay ]Ɋ& , T+ F&ias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= - 6 } | F ] ]Ɋ& XXFRH+ F& if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk++++x Mu=VysMc&&**+T ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! q!T+ F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=5c76cbd3-5af3-4d02-b9bb-fdb1c5597463 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5a99dd12-04aa-499c-a196-dbccb86244f8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**+T ]Ɋ&  !XT+ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fc719efa-ab37-4acb-97e2-f3e9cf6c3269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Name**+T ]Ɋ&  !XT+ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fc719efa-ab37-4acb-97e2-f3e9cf6c3269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**+T ]Ɋ& !XT+ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fc719efa-ab37-4acb-97e2-f3e9cf6c3269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**+T ]Ɋ&  !XT+ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fc719efa-ab37-4acb-97e2-f3e9cf6c3269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**+T ]Ɋ&  !XT+ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fc719efa-ab37-4acb-97e2-f3e9cf6c3269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=st**+T ]Ɋ&  !XT+ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fc719efa-ab37-4acb-97e2-f3e9cf6c3269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l**+T ]Ɋ& O!T+ F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fc719efa-ab37-4acb-97e2-f3e9cf6c3269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=3cde9236-51d1-4d62-8104-f6e01217212e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**+!LT ]Ɋ& [!!LT+ F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=fc719efa-ab37-4acb-97e2-f3e9cf6c3269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=3cde9236-51d1-4d62-8104-f6e01217212e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==ae**8 +T ]Ɋ&  !XT+ F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=cfa2f051-413f-4482-9368-b15b931e03db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8 **P +T ]Ɋ&  !XT+ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=cfa2f051-413f-4482-9368-b15b931e03db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=TyP **P +T ]Ɋ&  !XT+ F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=cfa2f051-413f-4482-9368-b15b931e03db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= catP **H +T ]Ɋ&  !XT+ F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=cfa2f051-413f-4482-9368-b15b931e03db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d $_H **H +T ]Ɋ&  !XT+ F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=cfa2f051-413f-4482-9368-b15b931e03db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1 H **H +T ]Ɋ&  !XT+ F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=cfa2f051-413f-4482-9368-b15b931e03db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erCH ** +T ]Ɋ&  !T+ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=cfa2f051-413f-4482-9368-b15b931e03db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=f07ba9c3-6737-40b6-8f3f-99d72532ac55 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ile ** +T ]Ɋ&  !T+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=cfa2f051-413f-4482-9368-b15b931e03db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=f07ba9c3-6737-40b6-8f3f-99d72532ac55 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=- t $mac) {  ]Ɋ& rAXT+ F& $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5a99dd12-04aa-499c-a196-dbccb86244f8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -d $_.LinkLay ]Ɋ& , T+ F&ias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= - 6 } | F ] ]Ɋ& XXFRH+ F& if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk++++(S^Mu=VysMc&&**(+T ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XT+ F&F%g>9{p(xlMD EventDatauoData !BinaryT AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0319e035-496a-4136-8821-e1974cdb4f61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ty(**8+T ]Ɋ&  !XT+ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0319e035-496a-4136-8821-e1974cdb4f61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n8**8+T ]Ɋ&  !XT+ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0319e035-496a-4136-8821-e1974cdb4f61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=RNI8**0+T ]Ɋ&  !XT+ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0319e035-496a-4136-8821-e1974cdb4f61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=the0**0+T ]Ɋ&  !XT+ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0319e035-496a-4136-8821-e1974cdb4f61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ror0**0+T ]Ɋ&  !XT+ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0319e035-496a-4136-8821-e1974cdb4f61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sc0**+T ]Ɋ&  !T+ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0319e035-496a-4136-8821-e1974cdb4f61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=2dc6a7af-abbc-4780-bf4f-041b70750fe5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bo**+{T ]Ɋ&  !{T+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=0319e035-496a-4136-8821-e1974cdb4f61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=2dc6a7af-abbc-4780-bf4f-041b70750fe5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Trig**+{T ]Ɋ& K!X{T+ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=771a3ec5-0bf4-466b-a637-e34a5f5aed36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cti**+{T ]Ɋ& c!X{T+ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=771a3ec5-0bf4-466b-a637-e34a5f5aed36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sBo**+{T ]Ɋ& _!X{T+ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=771a3ec5-0bf4-466b-a637-e34a5f5aed36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **+{T ]Ɋ& W!X{T+ F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=771a3ec5-0bf4-466b-a637-e34a5f5aed36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**+{T ]Ɋ& W!X{T+ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=771a3ec5-0bf4-466b-a637-e34a5f5aed36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**+{T ]Ɋ& Y!X{T+ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=771a3ec5-0bf4-466b-a637-e34a5f5aed36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in32**X+{T ]Ɋ& !{T+ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=771a3ec5-0bf4-466b-a637-e34a5f5aed36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=57fb4191-86eb-4480-aa54-c62c3ed07d38 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $shX**`+{T ]Ɋ& !{T+ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=771a3ec5-0bf4-466b-a637-e34a5f5aed36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=57fb4191-86eb-4480-aa54-c62c3ed07d38 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s|`** +{T ]Ɋ& w !X{T+ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6401e501-63d7-472e-a24f-61d5bfb485d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **8+{T ]Ɋ&  !X{T+ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6401e501-63d7-472e-a24f-61d5bfb485d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8+{T ]Ɋ&  !X{T+ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6401e501-63d7-472e-a24f-61d5bfb485d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ins8**0+{T ]Ɋ&  !X{T+ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6401e501-63d7-472e-a24f-61d5bfb485d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=are0**0+{T ]Ɋ&  !X{T+ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6401e501-63d7-472e-a24f-61d5bfb485d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -0**0+{T ]Ɋ&  !X{T+ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6401e501-63d7-472e-a24f-61d5bfb485d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0F& if($_ ]Ɋ& "}{T+ F&ess EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk++++X>C8+8Mu=VysMc&&**+{T ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! e!{T+ F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6401e501-63d7-472e-a24f-61d5bfb485d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=6f81499d-543b-4855-a530-11c5f0b63108 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**+GT ]Ɋ&  !GT+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=6401e501-63d7-472e-a24f-61d5bfb485d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=6f81499d-543b-4855-a530-11c5f0b63108 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=&** +GT ]Ɋ&  !XGT+ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ac27c249-7305-4a2e-8955-781d2fb2dc10 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_ ** +GT ]Ɋ&  !XGT+ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ac27c249-7305-4a2e-8955-781d2fb2dc10 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** +GT ]Ɋ&  !XGT+ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ac27c249-7305-4a2e-8955-781d2fb2dc10 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=C ** +GT ]Ɋ&  !XGT+ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ac27c249-7305-4a2e-8955-781d2fb2dc10 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=jec ** +GT ]Ɋ&  !XGT+ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ac27c249-7305-4a2e-8955-781d2fb2dc10 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ada ** +GT ]Ɋ&  !XGT+ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ac27c249-7305-4a2e-8955-781d2fb2dc10 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-N ** +GT ]Ɋ& e !GT+ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ac27c249-7305-4a2e-8955-781d2fb2dc10 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=b16acead-8793-4b92-a2dc-8ed93a43a270 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}  **X+T ]Ɋ&  !XT+ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1fba6e34-2496-42ca-b0ac-5a93f9a1f773 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=elX**p+T ]Ɋ&  !XT+ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1fba6e34-2496-42ca-b0ac-5a93f9a1f773 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**p+T ]Ɋ&  !XT+ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1fba6e34-2496-42ca-b0ac-5a93f9a1f773 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=actip**h+T ]Ɋ&  !XT+ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1fba6e34-2496-42ca-b0ac-5a93f9a1f773 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=son h**h+T ]Ɋ&  !XT+ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1fba6e34-2496-42ca-b0ac-5a93f9a1f773 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ih**h+T ]Ɋ&  !XT+ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1fba6e34-2496-42ca-b0ac-5a93f9a1f773 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pteh**+T ]Ɋ&  !T+ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1fba6e34-2496-42ca-b0ac-5a93f9a1f773 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=383bb5d9-6482-4512-aa4e-5cb983f7acaf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ **+T ]Ɋ& !T+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1fba6e34-2496-42ca-b0ac-5a93f9a1f773 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=383bb5d9-6482-4512-aa4e-5cb983f7acaf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X+T ]Ɋ&  !XT+ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=abfe3312-debf-4668-bcb7-0457d11a331c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p+T ]Ɋ&  !XT+ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=abfe3312-debf-4668-bcb7-0457d11a331c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= npt }  ]Ɋ&  bXT+ F& { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0F& if($_ ]Ɋ& "}{T+ F&ess EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk++++. TMu=VysMc&&**p+T ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! Q!XT+ F&F%g>9{p(xlMD EventDatauoData !Binary FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=abfe3312-debf-4668-bcb7-0457d11a331c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dp**h+T ]Ɋ&  !XT+ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=abfe3312-debf-4668-bcb7-0457d11a331c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Comh**h+T ]Ɋ&  !XT+ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=abfe3312-debf-4668-bcb7-0457d11a331c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ressh**h+T ]Ɋ&  !XT+ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=abfe3312-debf-4668-bcb7-0457d11a331c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ipeh**+T ]Ɋ&  !T+ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=abfe3312-debf-4668-bcb7-0457d11a331c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=84e60523-1830-4435-91d3-adfc4676f708 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nsC** +T ]Ɋ& q !T+ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ac27c249-7305-4a2e-8955-781d2fb2dc10 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=b16acead-8793-4b92-a2dc-8ed93a43a270 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Int **+T ]Ɋ& !T+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=abfe3312-debf-4668-bcb7-0457d11a331c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=84e60523-1830-4435-91d3-adfc4676f708 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**+T ]Ɋ& 7!XT+ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c9f65114-498a-441d-b572-09c39a26c35b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **+T ]Ɋ& O!XT+ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c9f65114-498a-441d-b572-09c39a26c35b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l**+T ]Ɋ& K!XT+ F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c9f65114-498a-441d-b572-09c39a26c35b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=efe**+T ]Ɋ& C!XT+ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c9f65114-498a-441d-b572-09c39a26c35b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lec**+T ]Ɋ& C!XT+ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c9f65114-498a-441d-b572-09c39a26c35b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= !**+T ]Ɋ& E!XT+ F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c9f65114-498a-441d-b572-09c39a26c35b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ou**@+T ]Ɋ& !T+ F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c9f65114-498a-441d-b572-09c39a26c35b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=ead66a0f-d045-4e3b-b355-b22754b8f013 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:$@**P+?xT ]Ɋ& !?xT+ F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c9f65114-498a-441d-b572-09c39a26c35b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=ead66a0f-d045-4e3b-b355-b22754b8f013 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=LiteP**H+ݪT ]Ɋ& !XݪT+ F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=85ab8d43-9b06-4307-9924-4b52f21ff7c2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9H**`+ݪT ]Ɋ& !XݪT+ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=85ab8d43-9b06-4307-9924-4b52f21ff7c2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o`**`+ݪT ]Ɋ& !XݪT+ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=85ab8d43-9b06-4307-9924-4b52f21ff7c2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ `**X+ݪT ]Ɋ& !XݪT+ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=85ab8d43-9b06-4307-9924-4b52f21ff7c2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ertX**X+ݪT ]Ɋ& !XݪT+ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=85ab8d43-9b06-4307-9924-4b52f21ff7c2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**X+ݪT ]Ɋ& !XݪT+ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=85ab8d43-9b06-4307-9924-4b52f21ff7c2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**+ݪT ]Ɋ& !ݪT+ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=85ab8d43-9b06-4307-9924-4b52f21ff7c2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=06d1ea12-ea30-4792-b921-519ac063374d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine="S**+CT ]Ɋ& K!XCT+ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=09bf9b4e-2b1e-42d1-bea3-97ac7dccd2e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }**+CT ]Ɋ& c!XCT+ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=09bf9b4e-2b1e-42d1-bea3-97ac7dccd2e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nme**+CT ]Ɋ& _!XCT+ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=09bf9b4e-2b1e-42d1-bea3-97ac7dccd2e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**+CT ]Ɋ& W!XCT+ F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=09bf9b4e-2b1e-42d1-bea3-97ac7dccd2e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u**+CT ]Ɋ& W!XCT+ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=09bf9b4e-2b1e-42d1-bea3-97ac7dccd2e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**+CT ]Ɋ& Y!XCT+ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=09bf9b4e-2b1e-42d1-bea3-97ac7dccd2e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=exit**X+CT ]Ɋ& !CT+ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=09bf9b4e-2b1e-42d1-bea3-97ac7dccd2e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=886db555-0bb9-4172-8bc8-8434c935f242 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te-OX**`+CT ]Ɋ& !CT+ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=09bf9b4e-2b1e-42d1-bea3-97ac7dccd2e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=886db555-0bb9-4172-8bc8-8434c935f242 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$_`** +CT ]Ɋ& w !XCT+ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=475bc565-d07b-458f-9482-169165d881c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d nhancedKeyUs ]Ɋ&  XCT+ F& # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= npt }  ]Ɋ&  bXT+ F& { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0F& if($_ ]Ɋ& "}{T+ F&ess EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk+ ,+ ,=^Mu=VysMc&&**@+CT ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XCT+ F&F%g>9{p(xlMD EventDatauoData !Binaryl EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=475bc565-d07b-458f-9482-169165d881c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dP@**8+CT ]Ɋ&  !XCT+ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=475bc565-d07b-458f-9482-169165d881c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= S8**0+CT ]Ɋ&  !XCT+ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=475bc565-d07b-458f-9482-169165d881c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Com0**0+CT ]Ɋ&  !XCT+ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=475bc565-d07b-458f-9482-169165d881c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ru0**0+CT ]Ɋ&  !XCT+ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=475bc565-d07b-458f-9482-169165d881c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ex0**+CT ]Ɋ&  !CT+ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=475bc565-d07b-458f-9482-169165d881c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=22727b87-e95b-46f4-b483-5a69ecb77fde PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=io**+~T ]Ɋ&  !~T+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=475bc565-d07b-458f-9482-169165d881c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=22727b87-e95b-46f4-b483-5a69ecb77fde PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d ** +~T ]Ɋ&  !X~T+ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=dbd5e5ea-fdce-4d21-be96-4f70372360b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ӱ ** +~T ]Ɋ&  !X~T+ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=dbd5e5ea-fdce-4d21-be96-4f70372360b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h ** +~T ]Ɋ&  !X~T+ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=dbd5e5ea-fdce-4d21-be96-4f70372360b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=exe ** +~T ]Ɋ&  !X~T+ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=dbd5e5ea-fdce-4d21-be96-4f70372360b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== ** +~T ]Ɋ&  !X~T+ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=dbd5e5ea-fdce-4d21-be96-4f70372360b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ver ** +~T ]Ɋ&  !X~T+ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=dbd5e5ea-fdce-4d21-be96-4f70372360b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** +~T ]Ɋ& e !~T+ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=dbd5e5ea-fdce-4d21-be96-4f70372360b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=225e2d90-b66e-4f47-aeab-dbe0e9e7a1d4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H ** +pT ]Ɋ& q !pT+ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=dbd5e5ea-fdce-4d21-be96-4f70372360b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=225e2d90-b66e-4f47-aeab-dbe0e9e7a1d4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ecut **+pT ]Ɋ& 7!XpT+ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2e05d4cf-b9c7-439a-8a66-800b2c0edbeb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**+pT ]Ɋ& O!XpT+ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2e05d4cf-b9c7-439a-8a66-800b2c0edbeb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **+pT ]Ɋ& K!XpT+ F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2e05d4cf-b9c7-439a-8a66-800b2c0edbeb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ll.**,pT ]Ɋ& C!XpT, F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2e05d4cf-b9c7-439a-8a66-800b2c0edbeb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pow**,pT ]Ɋ& C!XpT, F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2e05d4cf-b9c7-439a-8a66-800b2c0edbeb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lic**,pT ]Ɋ& E!XpT, F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2e05d4cf-b9c7-439a-8a66-800b2c0edbeb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e1**@,pT ]Ɋ& !pT, F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2e05d4cf-b9c7-439a-8a66-800b2c0edbeb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8ba25398-00f2-4c68-96ce-c739795514df PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d1@**P,T ]Ɋ& !T, F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2e05d4cf-b9c7-439a-8a66-800b2c0edbeb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8ba25398-00f2-4c68-96ce-c739795514df PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=482-P**,CT ]Ɋ&  !CT, F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=85ab8d43-9b06-4307-9924-4b52f21ff7c2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=06d1ea12-ea30-4792-b921-519ac063374d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=adap**H,]U ]Ɋ& !X]U, F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=adb9f386-e919-4f2f-9457-3f29385e626e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`,]U ]Ɋ& !X]U, F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=adb9f386-e919-4f2f-9457-3f29385e626e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`,]U ]Ɋ& !X]U, F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=adb9f386-e919-4f2f-9457-3f29385e626e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=MAC`**X ,]U ]Ɋ& !X]U , F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=adb9f386-e919-4f2f-9457-3f29385e626e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= XnspaceId=  ]Ɋ& ipX]U , F&ndLine=X5ElfChnk ,$, ,$,PlvtMu=VysMc&&**X ,]U ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! ;!X]U , F&F%g>9{p(xlMD EventDatauoData !BinaryRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=adb9f386-e919-4f2f-9457-3f29385e626e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**X ,]U ]Ɋ& !X]U , F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=adb9f386-e919-4f2f-9457-3f29385e626e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X** ,]U ]Ɋ& !]U , F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=adb9f386-e919-4f2f-9457-3f29385e626e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=11d77ece-fbf3-4bc5-a2a5-227b6db6e429 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e** ,tU ]Ɋ&  !tU , F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=adb9f386-e919-4f2f-9457-3f29385e626e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=11d77ece-fbf3-4bc5-a2a5-227b6db6e429 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e) {**,vU ]Ɋ& K!XvU, F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=62e7f27c-b7f1-451e-b14f-b797a3ff8bd5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= = **,vU ]Ɋ& c!XvU, F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=62e7f27c-b7f1-451e-b14f-b797a3ff8bd5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eHo**,vU ]Ɋ& _!XvU, F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=62e7f27c-b7f1-451e-b14f-b797a3ff8bd5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**,vU ]Ɋ& W!XvU, F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=62e7f27c-b7f1-451e-b14f-b797a3ff8bd5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m**,vU ]Ɋ& W!XvU, F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=62e7f27c-b7f1-451e-b14f-b797a3ff8bd5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**,vU ]Ɋ& Y!XvU, F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=62e7f27c-b7f1-451e-b14f-b797a3ff8bd5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rkAd**X,vU ]Ɋ& !vU, F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=62e7f27c-b7f1-451e-b14f-b797a3ff8bd5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=06b57573-8b4e-423f-b8bd-ec35f2de1f0c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n SiX**`,vU ]Ɋ& !vU, F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=62e7f27c-b7f1-451e-b14f-b797a3ff8bd5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=06b57573-8b4e-423f-b8bd-ec35f2de1f0c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ne`** ,vU ]Ɋ& w !XvU, F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6cfbeafc-fb23-4c1f-8ec7-8da5dad8ebf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **8,vU ]Ɋ&  !XvU, F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6cfbeafc-fb23-4c1f-8ec7-8da5dad8ebf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=)8**8,vU ]Ɋ&  !XvU, F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6cfbeafc-fb23-4c1f-8ec7-8da5dad8ebf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Sc8**0,vU ]Ɋ&  !XvU, F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6cfbeafc-fb23-4c1f-8ec7-8da5dad8ebf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=apt0**0,vU ]Ɋ&  !XvU, F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6cfbeafc-fb23-4c1f-8ec7-8da5dad8ebf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=""D0**0,vU ]Ɋ&  !XvU, F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6cfbeafc-fb23-4c1f-8ec7-8da5dad8ebf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ap0**,vU ]Ɋ&  !vU, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6cfbeafc-fb23-4c1f-8ec7-8da5dad8ebf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=1ba9a9aa-e6b7-4256-8045-dfcf5df06976 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **,7OwU ]Ɋ&  !7OwU, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=6cfbeafc-fb23-4c1f-8ec7-8da5dad8ebf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=1ba9a9aa-e6b7-4256-8045-dfcf5df06976 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ower** ,7OwU ]Ɋ&  !X7OwU, F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d432edb3-59c3-48a0-8377-2021ece38c41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** ,7OwU ]Ɋ&  !X7OwU, F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d432edb3-59c3-48a0-8377-2021ece38c41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=L ** ,7OwU ]Ɋ&  !X7OwU , F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d432edb3-59c3-48a0-8377-2021ece38c41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ost ** !,7OwU ]Ɋ&  !X7OwU!, F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d432edb3-59c3-48a0-8377-2021ece38c41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C ** ",7OwU ]Ɋ&  !X7OwU", F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d432edb3-59c3-48a0-8377-2021ece38c41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ypa ** #,7OwU ]Ɋ&  !X7OwU#, F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d432edb3-59c3-48a0-8377-2021ece38c41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ns ** $,7OwU ]Ɋ& e !7OwU$, F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d432edb3-59c3-48a0-8377-2021ece38c41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=0291f5a0-812d-4bbd-bd73-82ffe9a34dc3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  , F&ndLine=X5ElfChnk%,?,%,?,(TpgMu=VysMc&&** %,wU ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !wU%, F&F%g>9{p(xlMD EventDatauoData !BinaryN StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d432edb3-59c3-48a0-8377-2021ece38c41 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=0291f5a0-812d-4bbd-bd73-82ffe9a34dc3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **&,wU ]Ɋ& 7!XwU&, F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9886dfb1-285b-46a5-a0a8-420a42d00d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**',wU ]Ɋ& O!XwU', F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9886dfb1-285b-46a5-a0a8-420a42d00d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**(,wU ]Ɋ& K!XwU(, F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9886dfb1-285b-46a5-a0a8-420a42d00d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=[PS**),wU ]Ɋ& C!XwU), F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9886dfb1-285b-46a5-a0a8-420a42d00d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ach***,wU ]Ɋ& C!XwU*, F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9886dfb1-285b-46a5-a0a8-420a42d00d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} |**+,wU ]Ɋ& E!XwU+, F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9886dfb1-285b-46a5-a0a8-420a42d00d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -**@,,wU ]Ɋ& !wU,, F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9886dfb1-285b-46a5-a0a8-420a42d00d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=0561789a-76b4-4690-8ff3-526b40bebaf6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SC@**P-,dxU ]Ɋ& !dxU-, F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9886dfb1-285b-46a5-a0a8-420a42d00d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=0561789a-76b4-4690-8ff3-526b40bebaf6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ceIDP**H.,N~V ]Ɋ& !XN~V., F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4204258a-7b42-4ca1-8156-d32ea8929e66 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4H**`/,N~V ]Ɋ& !XN~V/, F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4204258a-7b42-4ca1-8156-d32ea8929e66 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=v`**`0,N~V ]Ɋ& !XN~V0, F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4204258a-7b42-4ca1-8156-d32ea8929e66 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ace`**X1,N~V ]Ɋ& !XN~V1, F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4204258a-7b42-4ca1-8156-d32ea8929e66 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l bX**X2,N~V ]Ɋ& !XN~V2, F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4204258a-7b42-4ca1-8156-d32ea8929e66 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } X**X3,N~V ]Ɋ& !XN~V3, F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4204258a-7b42-4ca1-8156-d32ea8929e66 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f X**4,N~V ]Ɋ& !N~V4, F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4204258a-7b42-4ca1-8156-d32ea8929e66 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=219b04db-428b-401b-9c46-0974441696e9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X5,V ]Ɋ&  !XV5, F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a2efbbf3-80d4-4392-a183-f23624ac7a40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p6,V ]Ɋ&  !XV6, F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a2efbbf3-80d4-4392-a183-f23624ac7a40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nep**p7,V ]Ɋ&  !XV7, F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a2efbbf3-80d4-4392-a183-f23624ac7a40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } }p**h8,V ]Ɋ&  !XV8, F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a2efbbf3-80d4-4392-a183-f23624ac7a40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= falh**h9,V ]Ɋ&  !XV9, F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a2efbbf3-80d4-4392-a183-f23624ac7a40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) { h**h:,V ]Ɋ&  !XV:, F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a2efbbf3-80d4-4392-a183-f23624ac7a40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } h**;,V ]Ɋ&  !V;, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a2efbbf3-80d4-4392-a183-f23624ac7a40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c363d200-dac6-4ca4-a1e0-d022770eaac8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omm**<,=V ]Ɋ& !=V<, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a2efbbf3-80d4-4392-a183-f23624ac7a40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c363d200-dac6-4ca4-a1e0-d022770eaac8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=A**X=,x%V ]Ɋ&  !Xx%V=, F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=57eb3c1c-6aaa-4b76-9a2f-684820540d55 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=paX**p>,x%V ]Ɋ&  !Xx%V>, F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=57eb3c1c-6aaa-4b76-9a2f-684820540d55 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($p**p?,x%V ]Ɋ&  !Xx%V?, F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=57eb3c1c-6aaa-4b76-9a2f-684820540d55 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=":[]p"Domain"":"" ]Ɋ& 1fXx%V@, F&c3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  , F&ndLine=X5ElfChnk@,P,@,P,J-4Mu=VysMc&&**h@,x%V ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!Xx%V@, F&F%g>9{p(xlMD EventDatauoData !Binary FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=57eb3c1c-6aaa-4b76-9a2f-684820540d55 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sh**hA,x%V ]Ɋ&  !Xx%VA, F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=57eb3c1c-6aaa-4b76-9a2f-684820540d55 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tarth**hB,x%V ]Ɋ&  !Xx%VB, F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=57eb3c1c-6aaa-4b76-9a2f-684820540d55 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=habh**C,x%V ]Ɋ&  !x%VC, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=57eb3c1c-6aaa-4b76-9a2f-684820540d55 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=e64c471e-d4aa-4568-ad07-371aa02f528c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= S**D,x%V ]Ɋ& !x%VD, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=57eb3c1c-6aaa-4b76-9a2f-684820540d55 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=e64c471e-d4aa-4568-ad07-371aa02f528c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=q** E,&V ]Ɋ& w !X&VE, F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ca698310-037e-4376-89f4-e105f533858b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=N **8F,&V ]Ɋ&  !X&VF, F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ca698310-037e-4376-89f4-e105f533858b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n8**8G,&V ]Ɋ&  !X&VG, F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ca698310-037e-4376-89f4-e105f533858b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h {8**0H,&V ]Ɋ&  !X&VH, F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ca698310-037e-4376-89f4-e105f533858b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0I,&V ]Ɋ&  !X&VI, F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ca698310-037e-4376-89f4-e105f533858b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h-O0**0J,&V ]Ɋ&  !X&VJ, F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ca698310-037e-4376-89f4-e105f533858b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.E0**K,&V ]Ɋ&  !&VK, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ca698310-037e-4376-89f4-e105f533858b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a4f27379-1d16-476e-9cac-e6cdbd4204e7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=yU**L,$'V ]Ɋ&  !$'VL, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=ca698310-037e-4376-89f4-e105f533858b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a4f27379-1d16-476e-9cac-e6cdbd4204e7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Obj**M,$'V ]Ɋ&  !X$'VM, F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f3fa095a-e2e7-4f3e-b2b7-9da3c86aa9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eyUs**N,$'V ]Ɋ&  !X$'VN, F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f3fa095a-e2e7-4f3e-b2b7-9da3c86aa9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= For**O,$'V ]Ɋ& !X$'VO, F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f3fa095a-e2e7-4f3e-b2b7-9da3c86aa9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **P,$'V ]Ɋ&  !X$'VP, F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f3fa095a-e2e7-4f3e-b2b7-9da3c86aa9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ch  ]Ɋ&  X$'VQ, F&e-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=":[]p"Domain"":"" ]Ɋ& 1fXx%V@, F&c3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  , F&ndLine=X5ElfChnkQ,a,Q,a,0XGMu=VysMc&&**Q,$'V ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X$'VQ, F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f3fa095a-e2e7-4f3e-b2b7-9da3c86aa9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**R,$'V ]Ɋ&  !X$'VR, F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f3fa095a-e2e7-4f3e-b2b7-9da3c86aa9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**S,$'V ]Ɋ& O!$'VS, F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f3fa095a-e2e7-4f3e-b2b7-9da3c86aa9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=3750ea27-6dc7-4456-9c7c-9bceb061439f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **T,;'V ]Ɋ& [!;'VT, F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f3fa095a-e2e7-4f3e-b2b7-9da3c86aa9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=3750ea27-6dc7-4456-9c7c-9bceb061439f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=equ**8 U,;'V ]Ɋ&  !X;'VU, F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=daa90f93-5f38-4687-b6e2-84be5962f5df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C8 **P V,;'V ]Ɋ&  !X;'VV, F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=daa90f93-5f38-4687-b6e2-84be5962f5df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= EP **P W,;'V ]Ɋ&  !X;'VW, F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=daa90f93-5f38-4687-b6e2-84be5962f5df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-ObP **H X,;'V ]Ɋ&  !X;'VX, F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=daa90f93-5f38-4687-b6e2-84be5962f5df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= WinH **H Y,;'V ]Ɋ&  !X;'VY, F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=daa90f93-5f38-4687-b6e2-84be5962f5df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and H **H Z,;'V ]Ɋ&  !X;'VZ, F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=daa90f93-5f38-4687-b6e2-84be5962f5df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ntiH ** [,;'V ]Ɋ&  !;'V[, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=daa90f93-5f38-4687-b6e2-84be5962f5df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=4296f51a-c44e-4219-a10e-8236d35250f0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t $ ** \,;'V ]Ɋ&  !;'V\, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=daa90f93-5f38-4687-b6e2-84be5962f5df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=4296f51a-c44e-4219-a10e-8236d35250f0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** ],U(V ]Ɋ& w !XU(V], F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d67f58bd-674f-42aa-b0b0-4acc84fc483b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8^,U(V ]Ɋ&  !XU(V^, F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d67f58bd-674f-42aa-b0b0-4acc84fc483b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8_,U(V ]Ɋ&  !XU(V_, F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d67f58bd-674f-42aa-b0b0-4acc84fc483b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= tr8**0`,U(V ]Ɋ&  !XU(V`, F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d67f58bd-674f-42aa-b0b0-4acc84fc483b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ARN0**0a,U(V ]Ɋ&  !XU(Va, F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d67f58bd-674f-42aa-b0b0-4acc84fc483b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ows0ersions - se ]Ɋ& NGXU(Vb, F&ttings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ch  ]Ɋ&  X$'VQ, F&e-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=":[]p"Domain"":"" ]Ɋ& 1fXx%V@, F&c3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  , F&ndLine=X5ElfChnkb,x,b,x,x@'!CJÁMu=VysMc&&**8b,U(V ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XU(Vb, F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d67f58bd-674f-42aa-b0b0-4acc84fc483b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Com8**c,U(V ]Ɋ&  !U(Vc, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d67f58bd-674f-42aa-b0b0-4acc84fc483b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=05b9b6ed-7eb5-460f-98b9-56f3d0f91f6d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Id**d,U(V ]Ɋ&  !U(Vd, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=d67f58bd-674f-42aa-b0b0-4acc84fc483b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=05b9b6ed-7eb5-460f-98b9-56f3d0f91f6d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pace**e,h(V ]Ɋ& K!Xh(Ve, F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=126be6d7-4c17-4eca-86da-8474c0304068 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oun**f,h(V ]Ɋ& c!Xh(Vf, F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=126be6d7-4c17-4eca-86da-8474c0304068 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t t**g,h(V ]Ɋ& _!Xh(Vg, F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=126be6d7-4c17-4eca-86da-8474c0304068 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-**h,h(V ]Ɋ& W!Xh(Vh, F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=126be6d7-4c17-4eca-86da-8474c0304068 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**i,h(V ]Ɋ& W!Xh(Vi, F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=126be6d7-4c17-4eca-86da-8474c0304068 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**j,h(V ]Ɋ& Y!Xh(Vj, F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=126be6d7-4c17-4eca-86da-8474c0304068 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cess**Xk,h(V ]Ɋ& !h(Vk, F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=126be6d7-4c17-4eca-86da-8474c0304068 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=6a4d6aa0-7746-4567-8a22-72a4a7aa8c62 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th= X**`l,h(V ]Ɋ& !h(Vl, F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=126be6d7-4c17-4eca-86da-8474c0304068 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=6a4d6aa0-7746-4567-8a22-72a4a7aa8c62 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=id`** m,h(V ]Ɋ& w !Xh(Vm, F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7facb91b-1729-4e7e-97df-a81e3af6e5a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o **8n,h(V ]Ɋ&  !Xh(Vn, F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7facb91b-1729-4e7e-97df-a81e3af6e5a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r8**8o,h(V ]Ɋ&  !Xh(Vo, F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7facb91b-1729-4e7e-97df-a81e3af6e5a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= if8**0p,h(V ]Ɋ&  !Xh(Vp, F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7facb91b-1729-4e7e-97df-a81e3af6e5a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and0**0q,h(V ]Ɋ&  !Xh(Vq, F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7facb91b-1729-4e7e-97df-a81e3af6e5a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e) 0**0r,h(V ]Ɋ&  !Xh(Vr, F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7facb91b-1729-4e7e-97df-a81e3af6e5a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1 0**s,h(V ]Ɋ&  !h(Vs, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7facb91b-1729-4e7e-97df-a81e3af6e5a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d02044a1-1675-4422-9568-9f71d9ba367c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bj**t,h(V ]Ɋ&  !h(Vt, F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4204258a-7b42-4ca1-8156-d32ea8929e66 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=219b04db-428b-401b-9c46-0974441696e9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**u,)V ]Ɋ&  !)Vu, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=7facb91b-1729-4e7e-97df-a81e3af6e5a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d02044a1-1675-4422-9568-9f71d9ba367c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Hos** v,)V ]Ɋ&  !X)Vv, F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e96aed0c-7392-40c9-92f9-6178e10a425b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d ** w,)V ]Ɋ&  !X)Vw, F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e96aed0c-7392-40c9-92f9-6178e10a425b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** x,)V ]Ɋ&  !X)Vx, F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e96aed0c-7392-40c9-92f9-6178e10a425b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sNa -eq 'MSFT_T ]Ɋ&  !X)Vy, F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e96aed0c-7392-40c9-92f9-6178e10a425b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnky,,y,,@pdH2d;Mu=VysMc&&** y,)V ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !X)Vy, F&F%g>9{p(xlMD EventDatauoData !BinaryFunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e96aed0c-7392-40c9-92f9-6178e10a425b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** z,)V ]Ɋ&  !X)Vz, F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e96aed0c-7392-40c9-92f9-6178e10a425b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** {,)V ]Ɋ&  !X)V{, F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e96aed0c-7392-40c9-92f9-6178e10a425b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** |,)V ]Ɋ& e !)V|, F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e96aed0c-7392-40c9-92f9-6178e10a425b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=6f730c73-72a7-4835-a38c-46631aa5ee43 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.D **X},)V ]Ɋ&  !X)V}, F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1b015854-a622-4273-8297-868a0b7aa9bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= iX**p~,)V ]Ɋ&  !X)V~, F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1b015854-a622-4273-8297-868a0b7aa9bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**p,)V ]Ɋ&  !X)V, F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1b015854-a622-4273-8297-868a0b7aa9bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gicap**h,)V ]Ɋ&  !X)V, F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1b015854-a622-4273-8297-868a0b7aa9bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Neth**h,)V ]Ɋ&  !X)V, F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1b015854-a622-4273-8297-868a0b7aa9bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Silh**h,)V ]Ɋ&  !X)V, F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1b015854-a622-4273-8297-868a0b7aa9bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= foh**,)V ]Ɋ&  !)V, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1b015854-a622-4273-8297-868a0b7aa9bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=aafe6e6b-de22-48c4-bb25-1429f1e7e315 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-N**,)V ]Ɋ& !)V, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1b015854-a622-4273-8297-868a0b7aa9bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=aafe6e6b-de22-48c4-bb25-1429f1e7e315 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**X,)V ]Ɋ&  !X)V, F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=13e8e2df-3861-4dbf-885b-7fa95424ffc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=jeX**p,)V ]Ɋ&  !X)V, F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=13e8e2df-3861-4dbf-885b-7fa95424ffc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=app**p,)V ]Ɋ&  !X)V, F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=13e8e2df-3861-4dbf-885b-7fa95424ffc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1b-1p**h,)V ]Ɋ&  !X)V, F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=13e8e2df-3861-4dbf-885b-7fa95424ffc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e96ah**h,)V ]Ɋ&  !X)V, F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=13e8e2df-3861-4dbf-885b-7fa95424ffc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=+= $h**h,)V ]Ɋ&  !X)V, F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=13e8e2df-3861-4dbf-885b-7fa95424ffc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Numhr=7 Host ]Ɋ& ae)V, F&5b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk,,,,@4[9qMu=VysMc&&** ,)V ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !)V, F&F%g>9{p(xlMD EventDatauoData !BinaryN StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e96aed0c-7392-40c9-92f9-6178e10a425b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=6f730c73-72a7-4835-a38c-46631aa5ee43 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **,*V ]Ɋ&  !*V, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=13e8e2df-3861-4dbf-885b-7fa95424ffc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c3512e45-9e39-46d7-92c6-15e7fa944fa0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s +**,*V ]Ɋ& !*V, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=13e8e2df-3861-4dbf-885b-7fa95424ffc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c3512e45-9e39-46d7-92c6-15e7fa944fa0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**,*V ]Ɋ& 7!X*V, F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c3d21a1f-844c-4784-b84b-7d8ea082b603 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.**,*V ]Ɋ& O!X*V, F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c3d21a1f-844c-4784-b84b-7d8ea082b603 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**,*V ]Ɋ& K!X*V, F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c3d21a1f-844c-4784-b84b-7d8ea082b603 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **,*V ]Ɋ& C!X*V, F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c3d21a1f-844c-4784-b84b-7d8ea082b603 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **,*V ]Ɋ& C!X*V, F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c3d21a1f-844c-4784-b84b-7d8ea082b603 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ovi**,*V ]Ɋ& E!X*V, F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c3d21a1f-844c-4784-b84b-7d8ea082b603 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s **@,*V ]Ɋ& !*V, F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c3d21a1f-844c-4784-b84b-7d8ea082b603 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=93a93023-fa22-4d4c-bcda-013418ff2322 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @**P,*V ]Ɋ& !*V, F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c3d21a1f-844c-4784-b84b-7d8ea082b603 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=93a93023-fa22-4d4c-bcda-013418ff2322 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GE:$P**H,NV ]Ɋ& !XNV, F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4b025099-2543-450b-8190-9d22e74e3e2a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tH**`,NV ]Ɋ& !XNV, F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4b025099-2543-450b-8190-9d22e74e3e2a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`,NV ]Ɋ& !XNV, F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4b025099-2543-450b-8190-9d22e74e3e2a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PTU`**X,NV ]Ɋ& !XNV, F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4b025099-2543-450b-8190-9d22e74e3e2a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=29.X**X,NV ]Ɋ& !XNV, F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4b025099-2543-450b-8190-9d22e74e3e2a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-OuX**X,NV ]Ɋ& !XNV, F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4b025099-2543-450b-8190-9d22e74e3e2a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e X**,NV ]Ɋ& !NV, F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4b025099-2543-450b-8190-9d22e74e3e2a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=bd156130-16d4-4378-b26b-9844e68a3a2b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Va**,0&V ]Ɋ& K!X0&V, F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=423b864f-401c-42af-86bd-67030400834a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=OR:**,0&V ]Ɋ& c!X0&V, F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=423b864f-401c-42af-86bd-67030400834a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Ou**,0&V ]Ɋ& _!X0&V, F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=423b864f-401c-42af-86bd-67030400834a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**,0&V ]Ɋ& W!X0&V, F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=423b864f-401c-42af-86bd-67030400834a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9**,0&V ]Ɋ& W!X0&V, F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=423b864f-401c-42af-86bd-67030400834a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**,0&V ]Ɋ& Y!X0&V, F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=423b864f-401c-42af-86bd-67030400834a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=neId**X,0&V ]Ɋ& !0&V, F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=423b864f-401c-42af-86bd-67030400834a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b5347b55-61f7-42d6-af6a-73bd3a7a1f1f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**`,0&V ]Ɋ& !0&V, F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=423b864f-401c-42af-86bd-67030400834a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b5347b55-61f7-42d6-af6a-73bd3a7a1f1f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=k `** ,0&V ]Ɋ& w !X0&V, F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a275735e-9920-4189-b534-e345f381dc37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ **8,0&V ]Ɋ&  !X0&V, F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a275735e-9920-4189-b534-e345f381dc37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8,0&V ]Ɋ&  !X0&V, F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a275735e-9920-4189-b534-e345f381dc37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { 8**0,0&V ]Ɋ&  !X0&V, F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a275735e-9920-4189-b534-e345f381dc37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edK0**0,0&V ]Ɋ&  !X0&V, F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a275735e-9920-4189-b534-e345f381dc37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0$ekus = $eku ]Ɋ& alX0&V, F& } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Numhr=7 Host ]Ɋ& ae)V, F&5b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk,,,,m`T?Mu=VysMc&&**8,0&V ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X0&V, F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a275735e-9920-4189-b534-e345f381dc37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nme8**,0&V ]Ɋ&  !0&V, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a275735e-9920-4189-b534-e345f381dc37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=85a9cda9-dfc7-4759-9dcb-0e45ea806f7e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=si**,ƾV ]Ɋ&  !ƾV, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=a275735e-9920-4189-b534-e345f381dc37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=85a9cda9-dfc7-4759-9dcb-0e45ea806f7e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** ,ƾV ]Ɋ&  !XƾV, F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=401b4435-ccfa-4038-9302-5ecced827a0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o ** ,ƾV ]Ɋ&  !XƾV, F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=401b4435-ccfa-4038-9302-5ecced827a0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o ** ,ƾV ]Ɋ&  !XƾV, F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=401b4435-ccfa-4038-9302-5ecced827a0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$_. ** ,ƾV ]Ɋ&  !XƾV, F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=401b4435-ccfa-4038-9302-5ecced827a0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ppe ** ,ƾV ]Ɋ&  !XƾV, F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=401b4435-ccfa-4038-9302-5ecced827a0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e= ** ,ƾV ]Ɋ&  !XƾV, F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=401b4435-ccfa-4038-9302-5ecced827a0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er ** ,ƾV ]Ɋ& e !ƾV, F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=401b4435-ccfa-4038-9302-5ecced827a0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=2ae99da8-f4a1-4552-af29-e166d05b85ba PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rs ** ,]WV ]Ɋ& q !]WV, F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=401b4435-ccfa-4038-9302-5ecced827a0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=2ae99da8-f4a1-4552-af29-e166d05b85ba PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-or **,]WV ]Ɋ& 7!X]WV, F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f6601286-08f5-4c93-bea1-7d15d6978319 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **,]WV ]Ɋ& O!X]WV, F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f6601286-08f5-4c93-bea1-7d15d6978319 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-**,]WV ]Ɋ& K!X]WV, F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f6601286-08f5-4c93-bea1-7d15d6978319 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Wh**,]WV ]Ɋ& C!X]WV, F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f6601286-08f5-4c93-bea1-7d15d6978319 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=alD**,]WV ]Ɋ& C!X]WV, F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f6601286-08f5-4c93-bea1-7d15d6978319 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n32**,]WV ]Ɋ& E!X]WV, F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f6601286-08f5-4c93-bea1-7d15d6978319 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct**@,]WV ]Ɋ& !]WV, F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f6601286-08f5-4c93-bea1-7d15d6978319 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8eae7466-5d89-4bd7-8074-94158adcb899 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mm@**P,]WV ]Ɋ& !]WV, F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f6601286-08f5-4c93-bea1-7d15d6978319 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8eae7466-5d89-4bd7-8074-94158adcb899 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d $P**,V ]Ɋ&  !V, F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4b025099-2543-450b-8190-9d22e74e3e2a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=bd156130-16d4-4378-b26b-9844e68a3a2b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pter**H, vW ]Ɋ& !X vW, F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4be11570-ad93-471e-a171-0385431d4f78 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-H**`, vW ]Ɋ& !X vW, F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4be11570-ad93-471e-a171-0385431d4f78 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-`**`, vW ]Ɋ& !X vW, F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4be11570-ad93-471e-a171-0385431d4f78 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ue `**X, vW ]Ɋ& !X vW, F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4be11570-ad93-471e-a171-0385431d4f78 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=AddX**X, vW ]Ɋ& !X vW, F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4be11570-ad93-471e-a171-0385431d4f78 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= PrX**X, vW ]Ɋ& !X vW, F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4be11570-ad93-471e-a171-0385431d4f78 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**, vW ]Ɋ& ! vW, F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4be11570-ad93-471e-a171-0385431d4f78 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=7b5dd67f-bdbe-4928-b0ce-a37abd69a5d6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=la**,W ]Ɋ& K!XW, F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=69f819b6-7fe3-4869-aade-00c59dc1bd13 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hos**,W ]Ɋ& c!XW, F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=69f819b6-7fe3-4869-aade-00c59dc1bd13 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **,W ]Ɋ& _!XW, F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=69f819b6-7fe3-4869-aade-00c59dc1bd13 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**,W ]Ɋ& W!XW, F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=69f819b6-7fe3-4869-aade-00c59dc1bd13 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **,W ]Ɋ& W!XW, F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=69f819b6-7fe3-4869-aade-00c59dc1bd13 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u**,W ]Ɋ& Y!XW, F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=69f819b6-7fe3-4869-aade-00c59dc1bd13 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r=**X,W ]Ɋ& !W, F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=69f819b6-7fe3-4869-aade-00c59dc1bd13 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b5600334-94f3-4306-9b9b-78516001f07a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=elseX "" } }  ]Ɋ& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk,,,,(xε3qQMu=VysMc&&**h ,W ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! E!W, F&F%g>9{p(xlMD EventDatauoData !BinaryStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=69f819b6-7fe3-4869-aade-00c59dc1bd13 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b5600334-94f3-4306-9b9b-78516001f07a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Conh ** ,W ]Ɋ& w !XW, F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8dec4c4c-932c-4f84-ac26-80e412635893 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S **8,W ]Ɋ&  !XW, F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8dec4c4c-932c-4f84-ac26-80e412635893 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**8,W ]Ɋ&  !XW, F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8dec4c4c-932c-4f84-ac26-80e412635893 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ge8**0,W ]Ɋ&  !XW, F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8dec4c4c-932c-4f84-ac26-80e412635893 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0,W ]Ɋ&  !XW, F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8dec4c4c-932c-4f84-ac26-80e412635893 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ssF0**0,W ]Ɋ&  !XW, F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8dec4c4c-932c-4f84-ac26-80e412635893 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**,W ]Ɋ&  !W, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8dec4c4c-932c-4f84-ac26-80e412635893 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=8bd113a6-398c-4005-92a8-28e28ed42ae0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ge**,$W ]Ɋ&  !$W, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=8dec4c4c-932c-4f84-ac26-80e412635893 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=8bd113a6-398c-4005-92a8-28e28ed42ae0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=":""** ,$W ]Ɋ&  !X$W, F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=bd65d033-4e28-421b-bd88-84d0b00c12d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x ** ,$W ]Ɋ&  !X$W, F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=bd65d033-4e28-421b-bd88-84d0b00c12d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** ,$W ]Ɋ&  !X$W, F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=bd65d033-4e28-421b-bd88-84d0b00c12d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rfa ** ,$W ]Ɋ&  !X$W, F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=bd65d033-4e28-421b-bd88-84d0b00c12d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-4c ** ,$W ]Ɋ&  !X$W, F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=bd65d033-4e28-421b-bd88-84d0b00c12d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=415 ** ,$W ]Ɋ&  !X$W, F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=bd65d033-4e28-421b-bd88-84d0b00c12d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Li ** ,$W ]Ɋ& e !$W, F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=bd65d033-4e28-421b-bd88-84d0b00c12d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=40cdb929-bfdc-4a04-8807-27680180dd16 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ta ** ,'W ]Ɋ& q !'W, F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=bd65d033-4e28-421b-bd88-84d0b00c12d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=40cdb929-bfdc-4a04-8807-27680180dd16 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cuti **,'W ]Ɋ& 7!X'W, F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f5d4e898-40a9-48e7-9ef6-e927f5422f04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**,'W ]Ɋ& O!X'W, F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f5d4e898-40a9-48e7-9ef6-e927f5422f04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**,'W ]Ɋ& K!X'W, F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f5d4e898-40a9-48e7-9ef6-e927f5422f04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nam**,'W ]Ɋ& C!X'W, F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f5d4e898-40a9-48e7-9ef6-e927f5422f04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eId**,'W ]Ɋ& C!X'W, F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f5d4e898-40a9-48e7-9ef6-e927f5422f04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pi**,'W ]Ɋ& E!X'W, F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f5d4e898-40a9-48e7-9ef6-e927f5422f04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ce**@,'W ]Ɋ& !'W, F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f5d4e898-40a9-48e7-9ef6-e927f5422f04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8505d580-0f54-496a-bf0e-d9bacdddbfe2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@**P,'W ]Ɋ& !'W, F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f5d4e898-40a9-48e7-9ef6-e927f5422f04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8505d580-0f54-496a-bf0e-d9bacdddbfe2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mandPme= Comman ]Ɋ& neSW, F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk,,,,PuhLAMu=VysMc&&**,SW ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !SW, F&F%g>9{p(xlMD EventDatauoData !BinaryStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4be11570-ad93-471e-a171-0385431d4f78 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=7b5dd67f-bdbe-4928-b0ce-a37abd69a5d6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **H,h(X ]Ɋ& !Xh(X, F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e84f8d60-fe1c-47ea-8aec-096d0e08333e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xH**`,h(X ]Ɋ& !Xh(X, F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e84f8d60-fe1c-47ea-8aec-096d0e08333e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n`**`,h(X ]Ɋ& !Xh(X, F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e84f8d60-fe1c-47ea-8aec-096d0e08333e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s W`**X,h(X ]Ɋ& !Xh(X, F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e84f8d60-fe1c-47ea-8aec-096d0e08333e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ostX**X,h(X ]Ɋ& !Xh(X, F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e84f8d60-fe1c-47ea-8aec-096d0e08333e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dapX**X,h(X ]Ɋ& !Xh(X, F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e84f8d60-fe1c-47ea-8aec-096d0e08333e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tiX**,h(X ]Ɋ& !h(X, F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e84f8d60-fe1c-47ea-8aec-096d0e08333e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=b1c74997-e15f-4fa5-89fb-b0dc8581392b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FӨ**,)X ]Ɋ&  !)X, F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e84f8d60-fe1c-47ea-8aec-096d0e08333e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=b1c74997-e15f-4fa5-89fb-b0dc8581392b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rout**X,W 6X ]Ɋ&  !XW 6X, F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=00ea1a79-a378-4dce-96c4-bfd876002fad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p,W 6X ]Ɋ&  !XW 6X, F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=00ea1a79-a378-4dce-96c4-bfd876002fad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Gp**p,W 6X ]Ɋ&  !XW 6X, F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=00ea1a79-a378-4dce-96c4-bfd876002fad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ex $p**h,W 6X ]Ɋ&  !XW 6X, F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=00ea1a79-a378-4dce-96c4-bfd876002fad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rrorh**h,W 6X ]Ɋ&  !XW 6X, F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=00ea1a79-a378-4dce-96c4-bfd876002fad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Inth**h,W 6X ]Ɋ&  !XW 6X, F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=00ea1a79-a378-4dce-96c4-bfd876002fad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Comh**,W 6X ]Ɋ&  !W 6X, F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=00ea1a79-a378-4dce-96c4-bfd876002fad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d148b923-d8dd-497e-87fc-afa72ced6efe PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ate**,W 6X ]Ɋ& !W 6X, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=00ea1a79-a378-4dce-96c4-bfd876002fad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d148b923-d8dd-497e-87fc-afa72ced6efe PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**X,d>X ]Ɋ&  !Xd>X, F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=85dcbfce-b69a-4eda-89ab-19a51c8ad9e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=blX**p,d>X ]Ɋ&  !Xd>X, F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=85dcbfce-b69a-4eda-89ab-19a51c8ad9e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Gep**p,d>X ]Ɋ&  !Xd>X, F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=85dcbfce-b69a-4eda-89ab-19a51c8ad9e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cutip**h,d>X ]Ɋ&  !Xd>X, F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=85dcbfce-b69a-4eda-89ab-19a51c8ad9e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NonIh**h,d>X ]Ɋ&  !Xd>X, F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=85dcbfce-b69a-4eda-89ab-19a51c8ad9e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ersih**h,d>X ]Ɋ&  !Xd>X, F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=85dcbfce-b69a-4eda-89ab-19a51c8ad9e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le h SequenceNu ]Ɋ& 4.d>X, F&-9ef6-e927f5422f04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8505d580-0f54-496a-bf0e-d9bacdddbfe2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mandPme= Comman ]Ɋ& neSW, F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk, -, -)Mu=VysMc&&**,d>X ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !d>X, F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=85dcbfce-b69a-4eda-89ab-19a51c8ad9e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=f38f8095-165e-4025-b3fd-56af75f34137 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**,(>X ]Ɋ& !(>X, F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=85dcbfce-b69a-4eda-89ab-19a51c8ad9e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=f38f8095-165e-4025-b3fd-56af75f34137 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:** ,(>X ]Ɋ& w !X(>X, F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=180df2eb-8f98-4fb0-b3cc-5b6d573ee19e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8,(>X ]Ɋ&  !X(>X, F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=180df2eb-8f98-4fb0-b3cc-5b6d573ee19e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==8**8-(>X ]Ɋ&  !X(>X- F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=180df2eb-8f98-4fb0-b3cc-5b6d573ee19e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ce 8**0-(>X ]Ɋ&  !X(>X- F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=180df2eb-8f98-4fb0-b3cc-5b6d573ee19e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omm0**0-(>X ]Ɋ&  !X(>X- F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=180df2eb-8f98-4fb0-b3cc-5b6d573ee19e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -0**0-(>X ]Ɋ&  !X(>X- F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=180df2eb-8f98-4fb0-b3cc-5b6d573ee19e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xe0**-(>X ]Ɋ&  !(>X- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=180df2eb-8f98-4fb0-b3cc-5b6d573ee19e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f7ccbe11-825f-4c17-a54d-3b2233e3f096 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le**-?X ]Ɋ&  !?X- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=180df2eb-8f98-4fb0-b3cc-5b6d573ee19e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f7ccbe11-825f-4c17-a54d-3b2233e3f096 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tion**-?X ]Ɋ&  !X?X- F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4621253f-8f56-4ec2-99ee-57edecba3d8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cati**-?X ]Ɋ&  !X?X- F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4621253f-8f56-4ec2-99ee-57edecba3d8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nInt**-?X ]Ɋ& !X?X- F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4621253f-8f56-4ec2-99ee-57edecba3d8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -** -?X ]Ɋ&  !X?X - F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4621253f-8f56-4ec2-99ee-57edecba3d8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** -?X ]Ɋ&  !X?X - F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4621253f-8f56-4ec2-99ee-57edecba3d8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=v:** -?X ]Ɋ&  !X?X - F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4621253f-8f56-4ec2-99ee-57edecba3d8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-** -?X ]Ɋ& O!?X - F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4621253f-8f56-4ec2-99ee-57edecba3d8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=f937ce82-58e5-4bb8-92f1-87f78da9264e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-bacdddbfe2  ]Ɋ& riU.@X - F&andLine=mandPme= Comman ]Ɋ& neSW, F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk -$- -$-mIc,kMu=VysMc&&** -U.@X ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !U.@X - F&F%g>9{p(xlMD EventDatauoData !Binary8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4621253f-8f56-4ec2-99ee-57edecba3d8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=f937ce82-58e5-4bb8-92f1-87f78da9264e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**-@X ]Ɋ& K!X@X- F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=db11251c-9545-476c-8e85-516ade521ab5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Su**-@X ]Ɋ& c!X@X- F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=db11251c-9545-476c-8e85-516ade521ab5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **-@X ]Ɋ& _!X@X- F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=db11251c-9545-476c-8e85-516ade521ab5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**-@X ]Ɋ& W!X@X- F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=db11251c-9545-476c-8e85-516ade521ab5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **-@X ]Ɋ& W!X@X- F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=db11251c-9545-476c-8e85-516ade521ab5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **-@X ]Ɋ& Y!X@X- F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=db11251c-9545-476c-8e85-516ade521ab5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X-@X ]Ɋ& !@X- F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=db11251c-9545-476c-8e85-516ade521ab5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=3eca3ce1-1099-4807-a565-1a5080c304ee PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ScX**`-@X ]Ɋ& !@X- F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=db11251c-9545-476c-8e85-516ade521ab5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=3eca3ce1-1099-4807-a565-1a5080c304ee PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=de`** -@X ]Ɋ& w !X@X- F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c78a8044-2696-47af-8267-95c6ef4adb04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **8-@X ]Ɋ&  !X@X- F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c78a8044-2696-47af-8267-95c6ef4adb04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**8-@X ]Ɋ&  !X@X- F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c78a8044-2696-47af-8267-95c6ef4adb04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ind8**0-@X ]Ɋ&  !X@X- F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c78a8044-2696-47af-8267-95c6ef4adb04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eIn0**0-@X ]Ɋ&  !X@X- F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c78a8044-2696-47af-8267-95c6ef4adb04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0-@X ]Ɋ&  !X@X- F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c78a8044-2696-47af-8267-95c6ef4adb04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le0**-@X ]Ɋ&  !@X- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c78a8044-2696-47af-8267-95c6ef4adb04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=039e80e4-0341-4660-9f8d-e3ecfddc7caf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=an**-_AX ]Ɋ&  !_AX- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=c78a8044-2696-47af-8267-95c6ef4adb04 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=039e80e4-0341-4660-9f8d-e3ecfddc7caf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Inte** -_AX ]Ɋ&  !X_AX- F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f1fe4564-9109-47ec-8492-7bdfb9e04f6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** -_AX ]Ɋ&  !X_AX- F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f1fe4564-9109-47ec-8492-7bdfb9e04f6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u ** -_AX ]Ɋ&  !X_AX - F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f1fe4564-9109-47ec-8492-7bdfb9e04f6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Res ** !-_AX ]Ɋ&  !X_AX!- F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f1fe4564-9109-47ec-8492-7bdfb9e04f6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** ** "-_AX ]Ɋ&  !X_AX"- F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f1fe4564-9109-47ec-8492-7bdfb9e04f6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r = ** #-_AX ]Ɋ&  !X_AX#- F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f1fe4564-9109-47ec-8492-7bdfb9e04f6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Co ** $-_AX ]Ɋ& e !_AX$- F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f1fe4564-9109-47ec-8492-7bdfb9e04f6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=72323b39-412f-4f27-838e-a340affb27f4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== -bacdddbf ]Ɋ& _AX%- F&&andLine=mandPme= Comman ]Ɋ& neSW, F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk%-:-%-:-(9rMu=VysMc&&** %-_AX ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !_AX%- F&F%g>9{p(xlMD EventDatauoData !BinaryN StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f1fe4564-9109-47ec-8492-7bdfb9e04f6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=72323b39-412f-4f27-838e-a340affb27f4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f **&-AX ]Ɋ& 7!XAX&- F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e40793df-5f8e-49d3-8b84-b40097038d49 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m**'-AX ]Ɋ& O!XAX'- F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e40793df-5f8e-49d3-8b84-b40097038d49 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**(-AX ]Ɋ& K!XAX(- F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e40793df-5f8e-49d3-8b84-b40097038d49 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sta**)-AX ]Ɋ& C!XAX)- F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e40793df-5f8e-49d3-8b84-b40097038d49 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Fu***-AX ]Ɋ& C!XAX*- F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e40793df-5f8e-49d3-8b84-b40097038d49 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**+-AX ]Ɋ& E!XAX+- F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e40793df-5f8e-49d3-8b84-b40097038d49 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**@,-AX ]Ɋ& !AX,- F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e40793df-5f8e-49d3-8b84-b40097038d49 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=36927b4e-c5af-49e6-acb8-7dbb14e2e695 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ne@**P--AX ]Ɋ& !AX-- F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e40793df-5f8e-49d3-8b84-b40097038d49 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=36927b4e-c5af-49e6-acb8-7dbb14e2e695 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dAvP**8 .-6$FX ]Ɋ&  !X6$FX.- F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=828f1425-ab63-42a0-863e-328e0dc631de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8 **P /-6$FX ]Ɋ&  !X6$FX/- F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=828f1425-ab63-42a0-863e-328e0dc631de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndP **P 0-6$FX ]Ɋ&  !X6$FX0- F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=828f1425-ab63-42a0-863e-328e0dc631de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nterP **H 1-6$FX ]Ɋ&  !X6$FX1- F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=828f1425-ab63-42a0-863e-328e0dc631de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ActiH **H 2-6$FX ]Ɋ&  !X6$FX2- F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=828f1425-ab63-42a0-863e-328e0dc631de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PrefH **H 3-6$FX ]Ɋ&  !X6$FX3- F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=828f1425-ab63-42a0-863e-328e0dc631de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$nuH ** 4-6$FX ]Ɋ&  !6$FX4- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=828f1425-ab63-42a0-863e-328e0dc631de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=cfdec665-ab91-44e8-a0df-c05710773eb2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ive ** 5-6$FX ]Ɋ&  !6$FX5- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=828f1425-ab63-42a0-863e-328e0dc631de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=cfdec665-ab91-44e8-a0df-c05710773eb2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s ** 6-ͼFX ]Ɋ& w !XͼFX6- F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b9bb135f-bfea-494c-93e8-b3b150a35cbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **87-ͼFX ]Ɋ&  !XͼFX7- F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b9bb135f-bfea-494c-93e8-b3b150a35cbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n8**88-ͼFX ]Ɋ&  !XͼFX8- F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b9bb135f-bfea-494c-93e8-b3b150a35cbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= !8**09-ͼFX ]Ɋ&  !XͼFX9- F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b9bb135f-bfea-494c-93e8-b3b150a35cbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i0**0:-ͼFX ]Ɋ&  !XͼFX:- F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b9bb135f-bfea-494c-93e8-b3b150a35cbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== 0criptName=  ]Ɋ& XͼFX;- F&e !_AX$- F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f1fe4564-9109-47ec-8492-7bdfb9e04f6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=72323b39-412f-4f27-838e-a340affb27f4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== -bacdddbf ]Ɋ& _AX%- F&&andLine=mandPme= Comman ]Ɋ& neSW, F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk;-Q-;-Q-HMCMu=VysMc&&**8;-ͼFX ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XͼFX;- F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b9bb135f-bfea-494c-93e8-b3b150a35cbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ace8**<-ͼFX ]Ɋ&  !ͼFX<- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b9bb135f-bfea-494c-93e8-b3b150a35cbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=e557014d-41c2-4b1c-a943-b7c0a4e8d349 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Fu**=-ͼFX ]Ɋ&  !ͼFX=- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=b9bb135f-bfea-494c-93e8-b3b150a35cbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=e557014d-41c2-4b1c-a943-b7c0a4e8d349 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-and**>-cUGX ]Ɋ& K!XcUGX>- F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ce4abf65-f5cb-41f5-b967-e7c692b9eccd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_**?-cUGX ]Ɋ& c!XcUGX?- F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ce4abf65-f5cb-41f5-b967-e7c692b9eccd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_.S**@-cUGX ]Ɋ& _!XcUGX@- F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ce4abf65-f5cb-41f5-b967-e7c692b9eccd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **A-cUGX ]Ɋ& W!XcUGXA- F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ce4abf65-f5cb-41f5-b967-e7c692b9eccd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**B-cUGX ]Ɋ& W!XcUGXB- F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ce4abf65-f5cb-41f5-b967-e7c692b9eccd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4**C-cUGX ]Ɋ& Y!XcUGXC- F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ce4abf65-f5cb-41f5-b967-e7c692b9eccd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=une-**XD-cUGX ]Ɋ& !cUGXD- F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ce4abf65-f5cb-41f5-b967-e7c692b9eccd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b4ae38e4-b77b-48f9-b091-96ef9c5dbafb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=StaX**`E-cUGX ]Ɋ& !cUGXE- F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ce4abf65-f5cb-41f5-b967-e7c692b9eccd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b4ae38e4-b77b-48f9-b091-96ef9c5dbafb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ue`** F-cUGX ]Ɋ& w !XcUGXF- F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=63720ba3-af66-4060-b884-f072660e1129 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=- **8G-cUGX ]Ɋ&  !XcUGXG- F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=63720ba3-af66-4060-b884-f072660e1129 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a8**8H-cUGX ]Ɋ&  !XcUGXH- F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=63720ba3-af66-4060-b884-f072660e1129 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nDa8**0I-cUGX ]Ɋ&  !XcUGXI- F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=63720ba3-af66-4060-b884-f072660e1129 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$sh0**0J-cUGX ]Ɋ&  !XcUGXJ- F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=63720ba3-af66-4060-b884-f072660e1129 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=top0**0K-cUGX ]Ɋ&  !XcUGXK- F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=63720ba3-af66-4060-b884-f072660e1129 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te0**L-cUGX ]Ɋ&  !cUGXL- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=63720ba3-af66-4060-b884-f072660e1129 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3e66851c-3d60-4f6b-b6cb-cebac5381876 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ob**M-GX ]Ɋ&  !GXM- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=63720ba3-af66-4060-b884-f072660e1129 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3e66851c-3d60-4f6b-b6cb-cebac5381876 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $cf** N-GX ]Ɋ&  !XGXN- F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5ae26ed5-4c73-47dc-87aa-5021b5972d88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=k ** O-GX ]Ɋ&  !XGXO- F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5ae26ed5-4c73-47dc-87aa-5021b5972d88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ ** P-GX ]Ɋ&  !XGXP- F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5ae26ed5-4c73-47dc-87aa-5021b5972d88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d= ** Q-GX ]Ɋ&  !XGXQ- F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5ae26ed5-4c73-47dc-87aa-5021b5972d88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" EngineV ]Ɋ& -aXGXR- F&ommandName= CommandType= ScriptName= CommandPath= CommandLine== -bacdddbf ]Ɋ& _AX%- F&&andLine=mandPme= Comman ]Ɋ& neSW, F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnkR-c-R-c-[Mu=VysMc&&** R-GX ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !XGXR- F&F%g>9{p(xlMD EventDatauoData !BinaryRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5ae26ed5-4c73-47dc-87aa-5021b5972d88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** S-GX ]Ɋ&  !XGXS- F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5ae26ed5-4c73-47dc-87aa-5021b5972d88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** T-GX ]Ɋ& e !GXT- F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5ae26ed5-4c73-47dc-87aa-5021b5972d88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=0d50e548-f39a-4ed9-aabd-be91f3b4d278 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Av **XU-GX ]Ɋ&  !XGXU- F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d06970f8-7f19-4bd6-9d02-3951225049fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=>-X**pV-GX ]Ɋ&  !XGXV- F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d06970f8-7f19-4bd6-9d02-3951225049fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -p**pW-GX ]Ɋ&  !XGXW- F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d06970f8-7f19-4bd6-9d02-3951225049fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Commp**hX-GX ]Ɋ&  !XGXX- F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d06970f8-7f19-4bd6-9d02-3951225049fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Numbh**hY-GX ]Ɋ&  !XGXY- F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d06970f8-7f19-4bd6-9d02-3951225049fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=entlh**hZ-GX ]Ɋ&  !XGXZ- F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d06970f8-7f19-4bd6-9d02-3951225049fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fg h**[-GX ]Ɋ&  !GX[- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d06970f8-7f19-4bd6-9d02-3951225049fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=add0434f-dafd-4562-9306-3343ffca9174 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=| W**\-GX ]Ɋ& !GX\- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d06970f8-7f19-4bd6-9d02-3951225049fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=add0434f-dafd-4562-9306-3343ffca9174 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}** ]-HX ]Ɋ& q !HX]- F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5ae26ed5-4c73-47dc-87aa-5021b5972d88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=0d50e548-f39a-4ed9-aabd-be91f3b4d278 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($ad **X^-HX ]Ɋ&  !XHX^- F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8b78026b-884a-45e6-b7e5-4b8ec5ad6937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erX**p_-HX ]Ɋ&  !XHX_- F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8b78026b-884a-45e6-b7e5-4b8ec5ad6937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Adp**p`-HX ]Ɋ&  !XHX`- F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8b78026b-884a-45e6-b7e5-4b8ec5ad6937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and p**ha-HX ]Ɋ&  !XHXa- F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8b78026b-884a-45e6-b7e5-4b8ec5ad6937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rverh**hb-HX ]Ɋ&  !XHXb- F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8b78026b-884a-45e6-b7e5-4b8ec5ad6937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ostIh**hc-HX ]Ɋ&  !XHXc- F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8b78026b-884a-45e6-b7e5-4b8ec5ad6937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= +=hcomputerInfo ]Ɋ& rsHXd- F&| Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" EngineV ]Ɋ& -aXGXR- F&ommandName= CommandType= ScriptName= CommandPath= CommandLine== -bacdddbf ]Ɋ& _AX%- F&&andLine=mandPme= Comman ]Ɋ& neSW, F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnkd--d--hi8uSTMu=VysMc&&**d-HX ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !HXd- F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8b78026b-884a-45e6-b7e5-4b8ec5ad6937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=83b17505-fda3-4b56-b3c2-3daf1281cd13 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**e-HX ]Ɋ& !HXe- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8b78026b-884a-45e6-b7e5-4b8ec5ad6937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=83b17505-fda3-4b56-b3c2-3daf1281cd13 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**f-HX ]Ɋ& 7!XHXf- F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=be1eebd6-e973-41bc-86fe-2b568c756069 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**g-HX ]Ɋ& O!XHXg- F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=be1eebd6-e973-41bc-86fe-2b568c756069 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**h-HX ]Ɋ& K!XHXh- F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=be1eebd6-e973-41bc-86fe-2b568c756069 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:NE**i-HX ]Ɋ& C!XHXi- F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=be1eebd6-e973-41bc-86fe-2b568c756069 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **j-HX ]Ɋ& C!XHXj- F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=be1eebd6-e973-41bc-86fe-2b568c756069 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eSy**k-HX ]Ɋ& E!XHXk- F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=be1eebd6-e973-41bc-86fe-2b568c756069 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rt**@l-HX ]Ɋ& !HXl- F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=be1eebd6-e973-41bc-86fe-2b568c756069 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=64c40d4e-9d29-4246-94b3-b08d911a0cf1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= W@**Pm-HX ]Ɋ& !HXm- F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=be1eebd6-e973-41bc-86fe-2b568c756069 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=64c40d4e-9d29-4246-94b3-b08d911a0cf1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=US:$P**n-XX ]Ɋ& U!XXXn- F&2AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=34bda93a-f8ec-45bb-ada1-85f26bf7100d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ec**o-XX ]Ɋ& m!XXXo- F&JEnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=34bda93a-f8ec-45bb-ada1-85f26bf7100d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**p-XX ]Ɋ& i!XXXp- F&FFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=34bda93a-f8ec-45bb-ada1-85f26bf7100d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rtif**q-XX ]Ɋ& a!XXXq- F&>FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=34bda93a-f8ec-45bb-ada1-85f26bf7100d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Enha**r-XX ]Ɋ& a!XXXr- F&>RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=34bda93a-f8ec-45bb-ada1-85f26bf7100d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uenc**s-XX ]Ɋ& c!XXXs- F&@VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=34bda93a-f8ec-45bb-ada1-85f26bf7100d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tpu**`t-XX ]Ɋ& !XXt- F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=34bda93a-f8ec-45bb-ada1-85f26bf7100d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=612402cd-9633-4f86-a235-e02282fb6a68 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=atc`**hu-pXX ]Ɋ& !pXXu- F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=34bda93a-f8ec-45bb-ada1-85f26bf7100d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=612402cd-9633-4f86-a235-e02282fb6a68 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sh**Hv-ƿX ]Ɋ& !XƿXv- F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1ddbd1a5-0e77-4bb7-9cfc-2e551b626a72 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uH**`w-ƿX ]Ɋ& !XƿXw- F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1ddbd1a5-0e77-4bb7-9cfc-2e551b626a72 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_`**`x-ƿX ]Ɋ& !XƿXx- F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1ddbd1a5-0e77-4bb7-9cfc-2e551b626a72 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pr`**Xy-ƿX ]Ɋ& !XƿXy- F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1ddbd1a5-0e77-4bb7-9cfc-2e551b626a72 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ge)X**Xz-ƿX ]Ɋ& !XƿXz- F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1ddbd1a5-0e77-4bb7-9cfc-2e551b626a72 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=TypX**X{-ƿX ]Ɋ& !XƿX{- F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1ddbd1a5-0e77-4bb7-9cfc-2e551b626a72 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**|-ƿX ]Ɋ& !ƿX|- F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1ddbd1a5-0e77-4bb7-9cfc-2e551b626a72 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=43b646a1-c974-476f-8282-f4deb66daabb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$a**}-X ]Ɋ&  !X}- F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1ddbd1a5-0e77-4bb7-9cfc-2e551b626a72 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=43b646a1-c974-476f-8282-f4deb66daabb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=""}"**~-+X ]Ɋ& K!X+X~- F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=79f3c12a-539c-4a1a-8127-e410a6424070 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th **-+X ]Ɋ& c!X+X- F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=79f3c12a-539c-4a1a-8127-e410a6424070 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=anc**-+X ]Ɋ& _!X+X- F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=79f3c12a-539c-4a1a-8127-e410a6424070 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r**-+X ]Ɋ& W!X+X- F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=79f3c12a-539c-4a1a-8127-e410a6424070 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**-+X ]Ɋ& W!X+X- F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=79f3c12a-539c-4a1a-8127-e410a6424070 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**-+X ]Ɋ& Y!X+X- F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=79f3c12a-539c-4a1a-8127-e410a6424070 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=IGNE**X-+X ]Ɋ& !+X- F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=79f3c12a-539c-4a1a-8127-e410a6424070 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=53683d01-8a0d-4e8e-b5a9-3e892074059d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**`-+X ]Ɋ& !+X- F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=79f3c12a-539c-4a1a-8127-e410a6424070 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=53683d01-8a0d-4e8e-b5a9-3e892074059d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** -+X ]Ɋ& w !X+X- F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=25d297af-f7e0-4157-87ff-2d53dac83909 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_ **8-+X ]Ɋ&  !X+X- F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=25d297af-f7e0-4157-87ff-2d53dac83909 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine='8**8-+X ]Ɋ&  !X+X- F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=25d297af-f7e0-4157-87ff-2d53dac83909 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8 ]Ɋ&  CX+X- F&ommandPath= CommandLine== -bacdddbf ]Ɋ& _AX%- F&&andLine=mandPme= Comman ]Ɋ& neSW, F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk----';Mu=VysMc&&**0-+X ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X+X- F&F%g>9{p(xlMD EventDatauoData !Binary` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=25d297af-f7e0-4157-87ff-2d53dac83909 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0-+X ]Ɋ&  !X+X- F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=25d297af-f7e0-4157-87ff-2d53dac83909 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0-+X ]Ɋ&  !X+X- F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=25d297af-f7e0-4157-87ff-2d53dac83909 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te0**-+X ]Ɋ&  !+X- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=25d297af-f7e0-4157-87ff-2d53dac83909 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c625543b-6a9b-4475-85b5-99356487220c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t **-%X ]Ɋ&  !%X- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=25d297af-f7e0-4157-87ff-2d53dac83909 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c625543b-6a9b-4475-85b5-99356487220c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** -%X ]Ɋ&  !X%X- F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d4a50b2b-2653-494e-8c96-107d4686dcf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a ** -%X ]Ɋ&  !X%X- F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d4a50b2b-2653-494e-8c96-107d4686dcf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t ** -%X ]Ɋ&  !X%X- F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d4a50b2b-2653-494e-8c96-107d4686dcf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nst ** -%X ]Ɋ&  !X%X- F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d4a50b2b-2653-494e-8c96-107d4686dcf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rac ** -%X ]Ɋ&  !X%X- F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d4a50b2b-2653-494e-8c96-107d4686dcf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ole ** -%X ]Ɋ&  !X%X- F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d4a50b2b-2653-494e-8c96-107d4686dcf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= - ** -%X ]Ɋ& e !%X- F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d4a50b2b-2653-494e-8c96-107d4686dcf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=77c1ecd9-7a1b-4416-bed1-29d5574b6c1a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ri ** -XX ]Ɋ& q !XX- F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d4a50b2b-2653-494e-8c96-107d4686dcf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=77c1ecd9-7a1b-4416-bed1-29d5574b6c1a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=St **-VX ]Ɋ& 7!XVX- F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6126138c-9a7e-4941-9f90-6f8ba4d9b989 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**-VX ]Ɋ& O!XVX- F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6126138c-9a7e-4941-9f90-6f8ba4d9b989 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3**-VX ]Ɋ& K!XVX- F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6126138c-9a7e-4941-9f90-6f8ba4d9b989 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**-VX ]Ɋ& C!XVX- F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6126138c-9a7e-4941-9f90-6f8ba4d9b989 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ion**-VX ]Ɋ& C!XVX- F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6126138c-9a7e-4941-9f90-6f8ba4d9b989 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hos**-VX ]Ɋ& E!XVX- F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6126138c-9a7e-4941-9f90-6f8ba4d9b989 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eH**@-VX ]Ɋ& !VX- F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6126138c-9a7e-4941-9f90-6f8ba4d9b989 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=d909bc85-8eca-4890-b410-4a48dd19f405 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=os@**P-VX ]Ɋ& !VX- F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6126138c-9a7e-4941-9f90-6f8ba4d9b989 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=d909bc85-8eca-4890-b410-4a48dd19f405 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sionP**H-$Y ]Ɋ& !X$Y- F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c8f99275-d92a-4ade-9eb5-7f4267176346 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==H**`-$Y ]Ɋ& !X$Y- F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c8f99275-d92a-4ade-9eb5-7f4267176346 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x`**`-$Y ]Ɋ& !X$Y- F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c8f99275-d92a-4ade-9eb5-7f4267176346 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**X-$Y ]Ɋ& !X$Y- F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c8f99275-d92a-4ade-9eb5-7f4267176346 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=catX**X-$Y ]Ɋ& !X$Y- F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c8f99275-d92a-4ade-9eb5-7f4267176346 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onPX**X-$Y ]Ɋ& !X$Y- F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c8f99275-d92a-4ade-9eb5-7f4267176346 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-0X**-$Y ]Ɋ& !$Y- F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c8f99275-d92a-4ade-9eb5-7f4267176346 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a4f27396-b639-46a6-a066-7633fccc65bb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=au**-2Y ]Ɋ&  !2Y- F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c8f99275-d92a-4ade-9eb5-7f4267176346 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a4f27396-b639-46a6-a066-7633fccc65bb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le -**-]Y ]Ɋ& K!X]Y- F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ba2780ba-af27-4421-9fd0-69852d0a108b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }**-]Y ]Ɋ& c!X]Y- F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ba2780ba-af27-4421-9fd0-69852d0a108b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ]Ɋ&  CX]Y- F&bf ]Ɋ& _AX%- F&&andLine=mandPme= Comman ]Ɋ& neSW, F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk----IU"v7Mu=VysMc&&** -]Y ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X]Y- F&F%g>9{p(xlMD EventDatauoData !Binary<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ba2780ba-af27-4421-9fd0-69852d0a108b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ro **-]Y ]Ɋ& W!X]Y- F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ba2780ba-af27-4421-9fd0-69852d0a108b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**-]Y ]Ɋ& W!X]Y- F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ba2780ba-af27-4421-9fd0-69852d0a108b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**-]Y ]Ɋ& Y!X]Y- F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ba2780ba-af27-4421-9fd0-69852d0a108b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Cla**X-]Y ]Ɋ& !]Y- F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ba2780ba-af27-4421-9fd0-69852d0a108b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=2f9db8b2-91cb-4d87-84bb-c16746490aea PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ff-2X**`-]Y ]Ɋ& !]Y- F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ba2780ba-af27-4421-9fd0-69852d0a108b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=2f9db8b2-91cb-4d87-84bb-c16746490aea PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** -]Y ]Ɋ& w !X]Y- F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3a23f299-fa5a-42fb-998d-2441404ef711 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8-]Y ]Ɋ&  !X]Y- F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3a23f299-fa5a-42fb-998d-2441404ef711 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a8**8-]Y ]Ɋ&  !X]Y- F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3a23f299-fa5a-42fb-998d-2441404ef711 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e {8**0-]Y ]Ɋ&  !X]Y- F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3a23f299-fa5a-42fb-998d-2441404ef711 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NoP0**0-]Y ]Ɋ&  !X]Y- F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3a23f299-fa5a-42fb-998d-2441404ef711 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @{0**0-]Y ]Ɋ&  !X]Y- F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3a23f299-fa5a-42fb-998d-2441404ef711 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=0**-]Y ]Ɋ&  !]Y- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3a23f299-fa5a-42fb-998d-2441404ef711 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=01a70fcb-0643-40e8-b00f-4968c9129779 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.C**-Y ]Ɋ&  !Y- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=3a23f299-fa5a-42fb-998d-2441404ef711 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=01a70fcb-0643-40e8-b00f-4968c9129779 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= FӐ** -Y ]Ɋ&  !XY- F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c72c675a-5238-4e2a-94c5-bdd994e91766 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} ** -Y ]Ɋ&  !XY- F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c72c675a-5238-4e2a-94c5-bdd994e91766 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h ** -Y ]Ɋ&  !XY- F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c72c675a-5238-4e2a-94c5-bdd994e91766 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** -Y ]Ɋ&  !XY- F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c72c675a-5238-4e2a-94c5-bdd994e91766 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=res ** -Y ]Ɋ&  !XY- F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c72c675a-5238-4e2a-94c5-bdd994e91766 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d ** -Y ]Ɋ&  !XY- F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c72c675a-5238-4e2a-94c5-bdd994e91766 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ow ** -Y ]Ɋ& e !Y- F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c72c675a-5238-4e2a-94c5-bdd994e91766 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=74bc34e9-6040-487c-b403-b8fe1c1c4d21 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ne ** -Y ]Ɋ& q !Y- F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c72c675a-5238-4e2a-94c5-bdd994e91766 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=74bc34e9-6040-487c-b403-b8fe1c1c4d21 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **-Y ]Ɋ& 7!XY- F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=52cbbff2-8dc2-4d3e-9c40-6c945813f0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H**-Y ]Ɋ& O!XY- F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=52cbbff2-8dc2-4d3e-9c40-6c945813f0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**-Y ]Ɋ& K!XY- F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=52cbbff2-8dc2-4d3e-9c40-6c945813f0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me Comman ] ]Ɋ& XY- F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk----0hPMu=VysMc&&** -Y ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XY- F&F%g>9{p(xlMD EventDatauoData !Binary FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=52cbbff2-8dc2-4d3e-9c40-6c945813f0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **-Y ]Ɋ& C!XY- F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=52cbbff2-8dc2-4d3e-9c40-6c945813f0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndP**-Y ]Ɋ& E!XY- F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=52cbbff2-8dc2-4d3e-9c40-6c945813f0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **@-Y ]Ɋ& !Y- F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=52cbbff2-8dc2-4d3e-9c40-6c945813f0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=9360b6d1-6b55-40ca-aeb4-f9790e2f925b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@**P-Y ]Ɋ& !Y- F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=52cbbff2-8dc2-4d3e-9c40-6c945813f0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=9360b6d1-6b55-40ca-aeb4-f9790e2f925b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ine=P**H-`AZ ]Ɋ& !X`AZ- F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=19772d26-4f80-47e7-acbb-e249951bd10a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`-`AZ ]Ɋ& !X`AZ- F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=19772d26-4f80-47e7-acbb-e249951bd10a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i`**`-`AZ ]Ɋ& !X`AZ- F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=19772d26-4f80-47e7-acbb-e249951bd10a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**X-`AZ ]Ɋ& !X`AZ- F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=19772d26-4f80-47e7-acbb-e249951bd10a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=irsX**X-`AZ ]Ɋ& !X`AZ- F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=19772d26-4f80-47e7-acbb-e249951bd10a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= NeX**X-`AZ ]Ɋ& !X`AZ- F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=19772d26-4f80-47e7-acbb-e249951bd10a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=utX**-`AZ ]Ɋ& !`AZ- F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=19772d26-4f80-47e7-acbb-e249951bd10a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=c7e70f83-5da1-4c5a-8016-be6826738919 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te**X-q}NZ ]Ɋ&  !Xq}NZ- F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=984e0f24-5501-487c-8615-b93b1c6ae2d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= WX**p-q}NZ ]Ɋ&  !Xq}NZ- F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=984e0f24-5501-487c-8615-b93b1c6ae2d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d p**p-q}NZ ]Ɋ&  !Xq}NZ- F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=984e0f24-5501-487c-8615-b93b1c6ae2d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=MACAp**h-q}NZ ]Ɋ&  !Xq}NZ- F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=984e0f24-5501-487c-8615-b93b1c6ae2d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t -Fh**h-q}NZ ]Ɋ&  !Xq}NZ- F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=984e0f24-5501-487c-8615-b93b1c6ae2d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $h**h-q}NZ ]Ɋ&  !Xq}NZ- F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=984e0f24-5501-487c-8615-b93b1c6ae2d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**-q}NZ ]Ɋ&  !q}NZ- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=984e0f24-5501-487c-8615-b93b1c6ae2d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=63c5d5e9-4320-4dcd-b673-7c05de6cd393 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ost**-q}NZ ]Ɋ& !q}NZ- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=984e0f24-5501-487c-8615-b93b1c6ae2d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=63c5d5e9-4320-4dcd-b673-7c05de6cd393 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==**`-oXZ ]Ɋ& !XoXZ- F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b307806d-455e-4433-b488-565843b2db7d HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-1t5lwzu3.dfp.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ewP`**x-oXZ ]Ɋ& !XoXZ- F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b307806d-455e-4433-b488-565843b2db7d HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-1t5lwzu3.dfp.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= x**p-oXZ ]Ɋ& !XoXZ- F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b307806d-455e-4433-b488-565843b2db7d HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-1t5lwzu3.dfp.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h-oXZ ]Ɋ& !XoXZ- F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b307806d-455e-4433-b488-565843b2db7d HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-1t5lwzu3.dfp.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ch**h-oXZ ]Ɋ& !XoXZ- F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b307806d-455e-4433-b488-565843b2db7d HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-1t5lwzu3.dfp.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eh**p-oXZ ]Ɋ& !XoXZ- F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b307806d-455e-4433-b488-565843b2db7d HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-1t5lwzu3.dfp.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=() p**-oXZ ]Ɋ& !oXZ- F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b307806d-455e-4433-b488-565843b2db7d HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-1t5lwzu3.dfp.ps1 EngineVersion=4.0 RunspaceId=c6b67254-1e85-48d3-8bcc-046e386bfdaa PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erve**-oXZ ]Ɋ& !oXZ- F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=b307806d-455e-4433-b488-565843b2db7d HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-1t5lwzu3.dfp.ps1 EngineVersion=4.0 RunspaceId=c6b67254-1e85-48d3-8bcc-046e386bfdaa PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rv** -oXZ ]Ɋ& w !XoXZ- F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0804267a-ca21-482d-a740-109b64f8978d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t **8-oXZ ]Ɋ&  !XoXZ- F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0804267a-ca21-482d-a740-109b64f8978d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C8mandLine= ]Ɋ& XoXZ- F&- F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=52cbbff2-8dc2-4d3e-9c40-6c945813f0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me Comman ] ]Ɋ& XY- F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk----0!9H :Mu=VysMc&&**8-oXZ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XoXZ- F&F%g>9{p(xlMD EventDatauoData !Binaryh FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0804267a-ca21-482d-a740-109b64f8978d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**0-oXZ ]Ɋ&  !XoXZ- F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0804267a-ca21-482d-a740-109b64f8978d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ver0**0-oXZ ]Ɋ&  !XoXZ- F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0804267a-ca21-482d-a740-109b64f8978d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ru0**0-oXZ ]Ɋ&  !XoXZ- F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0804267a-ca21-482d-a740-109b64f8978d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**-oXZ ]Ɋ&  !oXZ- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0804267a-ca21-482d-a740-109b64f8978d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=84462162-06b5-4db5-9c7a-37069cceafef PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nc**-8YZ ]Ɋ&  !8YZ- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=0804267a-ca21-482d-a740-109b64f8978d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=84462162-06b5-4db5-9c7a-37069cceafef PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tens** -8YZ ]Ɋ&  !X8YZ- F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e7f0675f-460f-453e-81ff-cb10a5348305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** -8YZ ]Ɋ&  !X8YZ- F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e7f0675f-460f-453e-81ff-cb10a5348305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** -8YZ ]Ɋ&  !X8YZ- F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e7f0675f-460f-453e-81ff-cb10a5348305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4e0f ** -8YZ ]Ɋ&  !X8YZ- F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e7f0675f-460f-453e-81ff-cb10a5348305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=neVe ** -8YZ ]Ɋ&  !X8YZ- F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e7f0675f-460f-453e-81ff-cb10a5348305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=yped ** -8YZ ]Ɋ&  !X8YZ- F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e7f0675f-460f-453e-81ff-cb10a5348305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= EK ** -8YZ ]Ɋ& ; !8YZ- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e7f0675f-460f-453e-81ff-cb10a5348305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=2eca430b-07b5-4e94-ae70-4fa0d7774bd4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" **-8YZ ]Ɋ&  !8YZ- F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=19772d26-4f80-47e7-acbb-e249951bd10a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=c7e70f83-5da1-4c5a-8016-be6826738919 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $ek** -YZ ]Ɋ& G !YZ- F&$ StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e7f0675f-460f-453e-81ff-cb10a5348305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=2eca430b-07b5-4e94-ae70-4fa0d7774bd4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S **X-2\Z ]Ɋ&  !X2\Z- F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fb739161-e6a3-486c-9736-d689db8211d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nsX**p-2\Z ]Ɋ&  !X2\Z- F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fb739161-e6a3-486c-9736-d689db8211d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tNp**p-2\Z ]Ɋ&  !X2\Z- F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fb739161-e6a3-486c-9736-d689db8211d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tp**h-2\Z ]Ɋ&  !X2\Z- F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fb739161-e6a3-486c-9736-d689db8211d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h ]Ɋ&  X2\Z- F&leSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=52cbbff2-8dc2-4d3e-9c40-6c945813f0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me Comman ] ]Ɋ& XY- F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk-.-.]/Mu=VysMc&&**h-2\Z ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!X2\Z- F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fb739161-e6a3-486c-9736-d689db8211d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h-2\Z ]Ɋ&  !X2\Z- F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fb739161-e6a3-486c-9736-d689db8211d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**-2\Z ]Ɋ&  !2\Z- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fb739161-e6a3-486c-9736-d689db8211d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=305bab96-6ed0-4706-98e2-f1c3609d9c0f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rov**-2\Z ]Ɋ& !2\Z- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=fb739161-e6a3-486c-9736-d689db8211d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=305bab96-6ed0-4706-98e2-f1c3609d9c0f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** -2\Z ]Ɋ& w !X2\Z- F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=42aa3a50-cb63-41ef-b88a-59aa95d2c7e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **8-2\Z ]Ɋ&  !X2\Z- F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=42aa3a50-cb63-41ef-b88a-59aa95d2c7e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l8**8-2\Z ]Ɋ&  !X2\Z- F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=42aa3a50-cb63-41ef-b88a-59aa95d2c7e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ew-8**0-2\Z ]Ɋ&  !X2\Z- F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=42aa3a50-cb63-41ef-b88a-59aa95d2c7e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cat0**0-2\Z ]Ɋ&  !X2\Z- F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=42aa3a50-cb63-41ef-b88a-59aa95d2c7e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { 0**0-2\Z ]Ɋ&  !X2\Z- F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=42aa3a50-cb63-41ef-b88a-59aa95d2c7e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=0**-2\Z ]Ɋ&  !2\Z- F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=42aa3a50-cb63-41ef-b88a-59aa95d2c7e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=33657292-d22d-4e30-901c-52e495316142 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le**-\Z ]Ɋ&  !\Z- F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=42aa3a50-cb63-41ef-b88a-59aa95d2c7e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=33657292-d22d-4e30-901c-52e495316142 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X-"gZ ]Ɋ&  !X"gZ- F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f241914e-869d-4f81-99e2-1e1f04407299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $X**p-"gZ ]Ɋ&  !X"gZ- F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f241914e-869d-4f81-99e2-1e1f04407299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $p**p."gZ ]Ɋ&  !X"gZ. F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f241914e-869d-4f81-99e2-1e1f04407299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $Erp**h."gZ ]Ɋ&  !X"gZ. F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f241914e-869d-4f81-99e2-1e1f04407299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $Erh**h."gZ ]Ɋ&  !X"gZ. F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f241914e-869d-4f81-99e2-1e1f04407299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ry {h Get-NetNei ]Ɋ& ' X"gZ. F&''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me Comman ] ]Ɋ& XY- F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk....GèǷMu=VysMc&&**h."gZ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! K!X"gZ. F&F%g>9{p(xlMD EventDatauoData !Binary VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f241914e-869d-4f81-99e2-1e1f04407299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**."gZ ]Ɋ&  !"gZ. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f241914e-869d-4f81-99e2-1e1f04407299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c1a85fac-078d-452b-af85-dd3f2b8da6d5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**."gZ ]Ɋ& !"gZ. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f241914e-869d-4f81-99e2-1e1f04407299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c1a85fac-078d-452b-af85-dd3f2b8da6d5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X.@rZ ]Ɋ&  !X@rZ. F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b0745980-bd93-4ef5-b972-243f397dca07 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=LiX**p.@rZ ]Ɋ&  !X@rZ. F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b0745980-bd93-4ef5-b972-243f397dca07 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**p.@rZ ]Ɋ&  !X@rZ. F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b0745980-bd93-4ef5-b972-243f397dca07 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h .@rZ ]Ɋ&  !X@rZ . F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b0745980-bd93-4ef5-b972-243f397dca07 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h .@rZ ]Ɋ&  !X@rZ . F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b0745980-bd93-4ef5-b972-243f397dca07 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tarth**h .@rZ ]Ɋ&  !X@rZ . F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b0745980-bd93-4ef5-b972-243f397dca07 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h** .@rZ ]Ɋ&  !@rZ . F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b0745980-bd93-4ef5-b972-243f397dca07 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=96266d03-cf54-4ba9-9dc0-57563bea0732 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ole** .@rZ ]Ɋ& !@rZ . F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b0745980-bd93-4ef5-b972-243f397dca07 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=96266d03-cf54-4ba9-9dc0-57563bea0732 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H** .@rZ ]Ɋ& w !X@rZ. F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2503569a-74c0-4d54-8dd8-337060b0695c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8.@rZ ]Ɋ&  !X@rZ. F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2503569a-74c0-4d54-8dd8-337060b0695c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t8**8.@rZ ]Ɋ&  !X@rZ. F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2503569a-74c0-4d54-8dd8-337060b0695c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ste8**0.@rZ ]Ɋ&  !X@rZ. F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2503569a-74c0-4d54-8dd8-337060b0695c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nS0**0.@rZ ]Ɋ&  !X@rZ. F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2503569a-74c0-4d54-8dd8-337060b0695c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.0**0.@rZ ]Ɋ&  !X@rZ. F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2503569a-74c0-4d54-8dd8-337060b0695c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0' X ]Ɋ& ct@rZ. F& InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me Comman ] ]Ɋ& XY- F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk.$..$.` /%Mu=VysMc&&**.@rZ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! e!@rZ. F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2503569a-74c0-4d54-8dd8-337060b0695c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=0cf4e934-8da0-4862-9163-6490dd9e40fa PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**.MrZ ]Ɋ&  !MrZ. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=2503569a-74c0-4d54-8dd8-337060b0695c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=0cf4e934-8da0-4862-9163-6490dd9e40fa PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==**.MrZ ]Ɋ&  !XMrZ. F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3ec768b1-f378-441c-98db-bbd5cedfb344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ath=**.MrZ ]Ɋ&  !XMrZ. F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3ec768b1-f378-441c-98db-bbd5cedfb344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**.MrZ ]Ɋ& !XMrZ. F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3ec768b1-f378-441c-98db-bbd5cedfb344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**.MrZ ]Ɋ&  !XMrZ. F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3ec768b1-f378-441c-98db-bbd5cedfb344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FӨ**.MrZ ]Ɋ&  !XMrZ. F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3ec768b1-f378-441c-98db-bbd5cedfb344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ov**.MrZ ]Ɋ&  !XMrZ. F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3ec768b1-f378-441c-98db-bbd5cedfb344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**.MrZ ]Ɋ& O!MrZ. F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3ec768b1-f378-441c-98db-bbd5cedfb344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=748d6581-75ed-4e8d-90cb-fdcbbde89f40 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**.qsZ ]Ɋ& [!qsZ. F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=3ec768b1-f378-441c-98db-bbd5cedfb344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=748d6581-75ed-4e8d-90cb-fdcbbde89f40 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ef5**8 .wZ ]Ɋ&  !XwZ. F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=25e79d40-3df2-423e-8a0c-fa3db8e33edd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8 **P .wZ ]Ɋ&  !XwZ. F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=25e79d40-3df2-423e-8a0c-fa3db8e33edd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=meP **P .wZ ]Ɋ&  !XwZ . F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=25e79d40-3df2-423e-8a0c-fa3db8e33edd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gnorP **H !.wZ ]Ɋ&  !XwZ!. F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=25e79d40-3df2-423e-8a0c-fa3db8e33edd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tewaH **H ".wZ ]Ɋ&  !XwZ". F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=25e79d40-3df2-423e-8a0c-fa3db8e33edd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H **H #.wZ ]Ɋ&  !XwZ#. F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=25e79d40-3df2-423e-8a0c-fa3db8e33edd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=| WH ** $.wZ ]Ɋ&  !wZ$. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=25e79d40-3df2-423e-8a0c-fa3db8e33edd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=91b4b71e-a0bf-4287-81b9-447dc9c09b84 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { $cfg = G ]Ɋ& onwZ%. F&_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0' X ]Ɋ& ct@rZ. F& InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me Comman ] ]Ɋ& XY- F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk%.:.%.:.hTLwMu=VysMc&&**%.wZ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !wZ%. F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=25e79d40-3df2-423e-8a0c-fa3db8e33edd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=91b4b71e-a0bf-4287-81b9-447dc9c09b84 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2-** &.wZ ]Ɋ& w !XwZ&. F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4d487724-b4d1-4b41-b7ab-45635eeae778 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8'.wZ ]Ɋ&  !XwZ'. F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4d487724-b4d1-4b41-b7ab-45635eeae778 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r8**8(.wZ ]Ɋ&  !XwZ(. F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4d487724-b4d1-4b41-b7ab-45635eeae778 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sto8**0).wZ ]Ɋ&  !XwZ). F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4d487724-b4d1-4b41-b7ab-45635eeae778 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edu0**0*.wZ ]Ɋ&  !XwZ*. F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4d487724-b4d1-4b41-b7ab-45635eeae778 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rig0**0+.wZ ]Ɋ&  !XwZ+. F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4d487724-b4d1-4b41-b7ab-45635eeae778 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th0**,.6xZ ]Ɋ&  !6xZ,. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4d487724-b4d1-4b41-b7ab-45635eeae778 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=1c4d6a37-beaa-459e-adee-607860c87f01 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=es**-.6xZ ]Ɋ&  !6xZ-. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=4d487724-b4d1-4b41-b7ab-45635eeae778 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=1c4d6a37-beaa-459e-adee-607860c87f01 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=# De**...xZ ]Ɋ& K!X.xZ.. F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4351a7f0-d678-4b93-b6f4-a215813acf5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hos**/..xZ ]Ɋ& c!X.xZ/. F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4351a7f0-d678-4b93-b6f4-a215813acf5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ry **0..xZ ]Ɋ& _!X.xZ0. F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4351a7f0-d678-4b93-b6f4-a215813acf5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**1..xZ ]Ɋ& W!X.xZ1. F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4351a7f0-d678-4b93-b6f4-a215813acf5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**2..xZ ]Ɋ& W!X.xZ2. F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4351a7f0-d678-4b93-b6f4-a215813acf5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**3..xZ ]Ɋ& Y!X.xZ3. F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4351a7f0-d678-4b93-b6f4-a215813acf5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ern **X4..xZ ]Ɋ& !.xZ4. F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4351a7f0-d678-4b93-b6f4-a215813acf5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b849ab15-e492-4651-b005-410e187fe16b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ionDX**`5..xZ ]Ɋ& !.xZ5. F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4351a7f0-d678-4b93-b6f4-a215813acf5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b849ab15-e492-4651-b005-410e187fe16b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** 6..xZ ]Ɋ& w !X.xZ6. F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d3334f0b-a7b9-4e4c-8f50-f6e3614e9254 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l **87..xZ ]Ɋ&  !X.xZ7. F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d3334f0b-a7b9-4e4c-8f50-f6e3614e9254 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**88..xZ ]Ɋ&  !X.xZ8. F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d3334f0b-a7b9-4e4c-8f50-f6e3614e9254 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ c8**09..xZ ]Ɋ&  !X.xZ9. F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d3334f0b-a7b9-4e4c-8f50-f6e3614e9254 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mIn0**0:..xZ ]Ɋ&  !X.xZ:. F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d3334f0b-a7b9-4e4c-8f50-f6e3614e9254 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0 ]Ɋ& ]Ɋ& YX.xZ;. F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnk;.M.;.M..|#;Mu=VysMc&&**8;..xZ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X.xZ;. F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d3334f0b-a7b9-4e4c-8f50-f6e3614e9254 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**<..xZ ]Ɋ&  !.xZ<. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d3334f0b-a7b9-4e4c-8f50-f6e3614e9254 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=bd5ae22a-7274-4abb-8d80-5e957859b852 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P**=.gyZ ]Ɋ&  !gyZ=. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=d3334f0b-a7b9-4e4c-8f50-f6e3614e9254 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=bd5ae22a-7274-4abb-8d80-5e957859b852 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==Sta** >.gyZ ]Ɋ&  !XgyZ>. F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=397366d6-ef44-4f4a-bc5e-aa2d72a5b71e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t ** ?.gyZ ]Ɋ&  !XgyZ?. F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=397366d6-ef44-4f4a-bc5e-aa2d72a5b71e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c ** @.gyZ ]Ɋ&  !XgyZ@. F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=397366d6-ef44-4f4a-bc5e-aa2d72a5b71e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ae7 ** A.gyZ ]Ɋ&  !XgyZA. F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=397366d6-ef44-4f4a-bc5e-aa2d72a5b71e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=led ** B.gyZ ]Ɋ&  !XgyZB. F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=397366d6-ef44-4f4a-bc5e-aa2d72a5b71e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** C.gyZ ]Ɋ&  !XgyZC. F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=397366d6-ef44-4f4a-bc5e-aa2d72a5b71e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nP ** D.gyZ ]Ɋ& e !gyZD. F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=397366d6-ef44-4f4a-bc5e-aa2d72a5b71e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=50a6be2d-eec3-4150-8abc-a5c3a48ff5b4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}  **XE.gyZ ]Ɋ&  !XgyZE. F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b4184edd-d7d4-49a0-b1c2-610756b13dcb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= cX**pF.gyZ ]Ɋ&  !XgyZF. F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b4184edd-d7d4-49a0-b1c2-610756b13dcb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**pG.gyZ ]Ɋ&  !XgyZG. F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b4184edd-d7d4-49a0-b1c2-610756b13dcb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=calDp**hH.gyZ ]Ɋ&  !XgyZH. F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b4184edd-d7d4-49a0-b1c2-610756b13dcb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=410eh**hI.gyZ ]Ɋ&  !XgyZI. F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b4184edd-d7d4-49a0-b1c2-610756b13dcb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0-00h**hJ.gyZ ]Ɋ&  !XgyZJ. F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b4184edd-d7d4-49a0-b1c2-610756b13dcb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**K.gyZ ]Ɋ&  !gyZK. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b4184edd-d7d4-49a0-b1c2-610756b13dcb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d0bd4e50-ccc5-42f6-807f-367aedb2d01e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **L.gyZ ]Ɋ& !gyZL. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b4184edd-d7d4-49a0-b1c2-610756b13dcb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d0bd4e50-ccc5-42f6-807f-367aedb2d01e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}**XM.[zZ ]Ɋ&  !X[zZM. F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=34aa5e3c-ad5d-4afd-96ee-c1fbc768d800 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {X # ignore an ]Ɋ& (GX[zZN. F&rrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0 ]Ɋ& ]Ɋ& YX.xZ;. F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnkN.m.N.m.(6:izMu=VysMc&&**xN.[zZ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! U!X[zZN. F&F%g>9{p(xlMD EventDatauoData !Binary EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=34aa5e3c-ad5d-4afd-96ee-c1fbc768d800 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x**pO.[zZ ]Ɋ&  !X[zZO. F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=34aa5e3c-ad5d-4afd-96ee-c1fbc768d800 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**hP.[zZ ]Ɋ&  !X[zZP. F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=34aa5e3c-ad5d-4afd-96ee-c1fbc768d800 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**h**hQ.[zZ ]Ɋ&  !X[zZQ. F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=34aa5e3c-ad5d-4afd-96ee-c1fbc768d800 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=aceIh**hR.[zZ ]Ɋ&  !X[zZR. F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=34aa5e3c-ad5d-4afd-96ee-c1fbc768d800 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ypeh**S.[zZ ]Ɋ&  ![zZS. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=34aa5e3c-ad5d-4afd-96ee-c1fbc768d800 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=1604c5e5-9da7-4d13-b0b5-68f722d0a897 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x $** T.[zZ ]Ɋ& q ![zZT. F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=397366d6-ef44-4f4a-bc5e-aa2d72a5b71e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=50a6be2d-eec3-4150-8abc-a5c3a48ff5b4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **U.[zZ ]Ɋ& ![zZU. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=34aa5e3c-ad5d-4afd-96ee-c1fbc768d800 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=1604c5e5-9da7-4d13-b0b5-68f722d0a897 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**V.[zZ ]Ɋ& 7!X[zZV. F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=556bcb69-1911-4bcf-80f0-0e3cac4abab6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=W**W.[zZ ]Ɋ& O!X[zZW. F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=556bcb69-1911-4bcf-80f0-0e3cac4abab6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}**X.[zZ ]Ɋ& K!X[zZX. F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=556bcb69-1911-4bcf-80f0-0e3cac4abab6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$en**Y.[zZ ]Ɋ& C!X[zZY. F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=556bcb69-1911-4bcf-80f0-0e3cac4abab6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @(**Z.[zZ ]Ɋ& C!X[zZZ. F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=556bcb69-1911-4bcf-80f0-0e3cac4abab6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Fi**[.[zZ ]Ɋ& E!X[zZ[. F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=556bcb69-1911-4bcf-80f0-0e3cac4abab6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er**@\.[zZ ]Ɋ& ![zZ\. F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=556bcb69-1911-4bcf-80f0-0e3cac4abab6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=34a86d9b-e3a6-4aee-95c1-23c6a17f93de PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @**P].[zZ ]Ɋ& ![zZ]. F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=556bcb69-1911-4bcf-80f0-0e3cac4abab6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=34a86d9b-e3a6-4aee-95c1-23c6a17f93de PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=STATP**H^.&[ ]Ɋ& !X&[^. F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6b164bca-c0ff-462b-98e7-ea05cac09c14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`_.&[ ]Ɋ& !X&[_. F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6b164bca-c0ff-462b-98e7-ea05cac09c14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e`**``.&[ ]Ɋ& !X&[`. F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6b164bca-c0ff-462b-98e7-ea05cac09c14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PAT`**Xa.&[ ]Ɋ& !X&[a. F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6b164bca-c0ff-462b-98e7-ea05cac09c14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= # X**Xb.&[ ]Ɋ& !X&[b. F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6b164bca-c0ff-462b-98e7-ea05cac09c14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= toX**Xc.&[ ]Ɋ& !X&[c. F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6b164bca-c0ff-462b-98e7-ea05cac09c14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=75X**d.&[ ]Ɋ& !&[d. F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6b164bca-c0ff-462b-98e7-ea05cac09c14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=f4fd7945-80d3-40cc-9cef-f07e27ce7384 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fi**e.[ ]Ɋ&  ![e. F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6b164bca-c0ff-462b-98e7-ea05cac09c14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=f4fd7945-80d3-40cc-9cef-f07e27ce7384 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_.**f.+[ ]Ɋ& K!X+[f. F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=309f1583-e153-47f1-b628-9dba750f6f0a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=efe**g.+[ ]Ɋ& c!X+[g. F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=309f1583-e153-47f1-b628-9dba750f6f0a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=st **h.+[ ]Ɋ& _!X+[h. F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=309f1583-e153-47f1-b628-9dba750f6f0a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**i.+[ ]Ɋ& W!X+[i. F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=309f1583-e153-47f1-b628-9dba750f6f0a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **j.+[ ]Ɋ& W!X+[j. F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=309f1583-e153-47f1-b628-9dba750f6f0a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **k.+[ ]Ɋ& Y!X+[k. F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=309f1583-e153-47f1-b628-9dba750f6f0a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= th**Xl.+[ ]Ɋ& !+[l. F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=309f1583-e153-47f1-b628-9dba750f6f0a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=172d6487-13bc-40d3-b0b5-15ac1a937ebe PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9CerX**`m.+[ ]Ɋ& !+[m. F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=309f1583-e153-47f1-b628-9dba750f6f0a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=172d6487-13bc-40d3-b0b5-15ac1a937ebe PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=CA`ress } | Sel ]Ɋ& etX+[n. F&rkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0 ]Ɋ& ]Ɋ& YX.xZ;. F& tcW, F&rvers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ElfChnkn..n..`fz٫DMu=VysMc&&**(n.+[ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X+[n. F&F%g>9{p(xlMD EventDatauoData !BinaryT AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1ad2f25e-71ab-4c0d-9f23-4bd749494242 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Na(**8o.+[ ]Ɋ&  !X+[o. F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1ad2f25e-71ab-4c0d-9f23-4bd749494242 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**8p.+[ ]Ɋ&  !X+[p. F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1ad2f25e-71ab-4c0d-9f23-4bd749494242 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P8**0q.+[ ]Ɋ&  !X+[q. F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1ad2f25e-71ab-4c0d-9f23-4bd749494242 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ngi0**0r.+[ ]Ɋ&  !X+[r. F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1ad2f25e-71ab-4c0d-9f23-4bd749494242 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n.M0**0s.+[ ]Ɋ&  !X+[s. F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1ad2f25e-71ab-4c0d-9f23-4bd749494242 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-O0**t.+[ ]Ɋ&  !+[t. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1ad2f25e-71ab-4c0d-9f23-4bd749494242 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=e52a3385-85d2-41d6-9ef3-917bcec2fe01 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -**u.+[ ]Ɋ&  !+[u. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=1ad2f25e-71ab-4c0d-9f23-4bd749494242 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=e52a3385-85d2-41d6-9ef3-917bcec2fe01 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nInt** v.+[ ]Ɋ&  !X+[v. F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9d502628-b308-46e2-a58f-1279e1273e98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** w.+[ ]Ɋ&  !X+[w. F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9d502628-b308-46e2-a58f-1279e1273e98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l ** x.+[ ]Ɋ&  !X+[x. F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9d502628-b308-46e2-a58f-1279e1273e98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0-0 ** y.+[ ]Ɋ&  !X+[y. F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9d502628-b308-46e2-a58f-1279e1273e98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== ** z.+[ ]Ɋ&  !X+[z. F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9d502628-b308-46e2-a58f-1279e1273e98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Fi ** {.+[ ]Ɋ&  !X+[{. F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9d502628-b308-46e2-a58f-1279e1273e98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=an ** |.+[ ]Ɋ& e !+[|. F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9d502628-b308-46e2-a58f-1279e1273e98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=3adfe793-b178-4f99-a7d5-06893fe618dc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=vi ** }.+[ ]Ɋ& q !+[}. F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9d502628-b308-46e2-a58f-1279e1273e98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=3adfe793-b178-4f99-a7d5-06893fe618dc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tApp **~.#8,[ ]Ɋ& 7!X#8,[~. F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=107e57c1-0167-4ab6-a724-b5024c54735a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **.#8,[ ]Ɋ& O!X#8,[. F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=107e57c1-0167-4ab6-a724-b5024c54735a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**.#8,[ ]Ɋ& K!X#8,[. F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=107e57c1-0167-4ab6-a724-b5024c54735a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t {**.#8,[ ]Ɋ& C!X#8,[. F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=107e57c1-0167-4ab6-a724-b5024c54735a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=re-**.#8,[ ]Ɋ& C!X#8,[. F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=107e57c1-0167-4ab6-a724-b5024c54735a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sk **.#8,[ ]Ɋ& E!X#8,[. F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=107e57c1-0167-4ab6-a724-b5024c54735a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=og**@.#8,[ ]Ɋ& !#8,[. F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=107e57c1-0167-4ab6-a724-b5024c54735a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=0dc39e52-9dcd-429c-b9bd-110bd6a769c3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @**P.#8,[ ]Ɋ& !#8,[. F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=107e57c1-0167-4ab6-a724-b5024c54735a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=0dc39e52-9dcd-429c-b9bd-110bd6a769c3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ere-P**H.[ ]Ɋ& !X[. F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2a6c73a0-bcae-4da2-ae12-64de9f352bbd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fH**`.[ ]Ɋ& !X[. F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2a6c73a0-bcae-4da2-ae12-64de9f352bbd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o`andPath= CommandLine= ElfChnk....HGEAMu=VysMc&&**`.[ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! C!X[. F&F%g>9{p(xlMD EventDatauoData !BinaryFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2a6c73a0-bcae-4da2-ae12-64de9f352bbd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=`**X.[ ]Ɋ& !X[. F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2a6c73a0-bcae-4da2-ae12-64de9f352bbd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=igX**X.[ ]Ɋ& !X[. F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2a6c73a0-bcae-4da2-ae12-64de9f352bbd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= (X**X.[ ]Ɋ& !X[. F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2a6c73a0-bcae-4da2-ae12-64de9f352bbd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$nX**.[ ]Ɋ& ![. F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2a6c73a0-bcae-4da2-ae12-64de9f352bbd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=28427b6d-39d9-4ba4-bdf0-b22342616d5c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **.![ ]Ɋ&  !![. F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2a6c73a0-bcae-4da2-ae12-64de9f352bbd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=28427b6d-39d9-4ba4-bdf0-b22342616d5c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$cfg**.T[ ]Ɋ& K!XT[. F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d802413c-7363-45b9-8824-1eb794494cd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ect**.T[ ]Ɋ& c!XT[. F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d802413c-7363-45b9-8824-1eb794494cd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=IPE**.T[ ]Ɋ& _!XT[. F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d802413c-7363-45b9-8824-1eb794494cd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**.T[ ]Ɋ& W!XT[. F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d802413c-7363-45b9-8824-1eb794494cd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **.T[ ]Ɋ& W!XT[. F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d802413c-7363-45b9-8824-1eb794494cd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**.T[ ]Ɋ& Y!XT[. F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d802413c-7363-45b9-8824-1eb794494cd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Int**X.T[ ]Ɋ& !T[. F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d802413c-7363-45b9-8824-1eb794494cd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=872d80ac-9883-4301-b2cc-2b642505511e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t 1 X**`.T[ ]Ɋ& !T[. F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d802413c-7363-45b9-8824-1eb794494cd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=872d80ac-9883-4301-b2cc-2b642505511e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if`** .T[ ]Ɋ& w !XT[. F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=33c692f7-66f5-493c-b6d1-11a6229bb4bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **8.T[ ]Ɋ&  !XT[. F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=33c692f7-66f5-493c-b6d1-11a6229bb4bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=/8**8.T[ ]Ɋ&  !XT[. F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=33c692f7-66f5-493c-b6d1-11a6229bb4bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in 8**0.T[ ]Ɋ&  !XT[. F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=33c692f7-66f5-493c-b6d1-11a6229bb4bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Ou0**0.T[ ]Ɋ&  !XT[. F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=33c692f7-66f5-493c-b6d1-11a6229bb4bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= = 0**0.T[ ]Ɋ&  !XT[. F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=33c692f7-66f5-493c-b6d1-11a6229bb4bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ai0**.T[ ]Ɋ&  !T[. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=33c692f7-66f5-493c-b6d1-11a6229bb4bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=98619639-f982-4d89-9973-07b35914cb2c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le**.o[ ]Ɋ&  !o[. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=33c692f7-66f5-493c-b6d1-11a6229bb4bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=98619639-f982-4d89-9973-07b35914cb2c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= DNS** .o[ ]Ɋ&  !Xo[. F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=cb6616e5-8697-461c-a5c8-ca54aade9fcf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ӱ ** .o[ ]Ɋ&  !Xo[. F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=cb6616e5-8697-461c-a5c8-ca54aade9fcf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c ** .o[ ]Ɋ&  !Xo[. F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=cb6616e5-8697-461c-a5c8-ca54aade9fcf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ll. ** .o[ ]Ɋ&  !Xo[. F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=cb6616e5-8697-461c-a5c8-ca54aade9fcf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** .o[ ]Ɋ&  !Xo[. F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=cb6616e5-8697-461c-a5c8-ca54aade9fcf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine='} ** .o[ ]Ɋ&  !Xo[. F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=cb6616e5-8697-461c-a5c8-ca54aade9fcf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ow yle Hidden - ]Ɋ& pso[. F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o`andPath= CommandLine= ElfChnk....`KsMu=VysMc&&**.o[ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !o[. F&F%g>9{p(xlMD EventDatauoData !BinaryB AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=cb6616e5-8697-461c-a5c8-ca54aade9fcf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=73980fca-d5c6-4b63-afb0-a188a84561f2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=enc** .o[ ]Ɋ& q !o[. F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=cb6616e5-8697-461c-a5c8-ca54aade9fcf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=73980fca-d5c6-4b63-afb0-a188a84561f2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pass **.[ ]Ɋ& 7!X[. F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6b50400e-c7c8-4437-841f-0e2752bab937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l**.[ ]Ɋ& O!X[. F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6b50400e-c7c8-4437-841f-0e2752bab937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**.[ ]Ɋ& K!X[. F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6b50400e-c7c8-4437-841f-0e2752bab937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=spa**.[ ]Ɋ& C!X[. F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6b50400e-c7c8-4437-841f-0e2752bab937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ver**.[ ]Ɋ& C!X[. F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6b50400e-c7c8-4437-841f-0e2752bab937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= E**.[ ]Ɋ& E!X[. F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6b50400e-c7c8-4437-841f-0e2752bab937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pr**@.[ ]Ɋ& ![. F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6b50400e-c7c8-4437-841f-0e2752bab937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=39dbf322-2b45-45d1-a1eb-5f6a780a1240 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ac@**P.[ ]Ɋ& ![. F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6b50400e-c7c8-4437-841f-0e2752bab937 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=39dbf322-2b45-45d1-a1eb-5f6a780a1240 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2b64P**X.jw\ ]Ɋ&  !Xjw\. F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b31735bf-c61a-4e10-a0a5-92e81ce3d6f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-nX**p.jw\ ]Ɋ&  !Xjw\. F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b31735bf-c61a-4e10-a0a5-92e81ce3d6f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= p**p.jw\ ]Ɋ&  !Xjw\. F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b31735bf-c61a-4e10-a0a5-92e81ce3d6f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=acAdp**h.jw\ ]Ɋ&  !Xjw\. F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b31735bf-c61a-4e10-a0a5-92e81ce3d6f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**h.jw\ ]Ɋ&  !Xjw\. F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b31735bf-c61a-4e10-a0a5-92e81ce3d6f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ h**h.jw\ ]Ɋ&  !Xjw\. F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b31735bf-c61a-4e10-a0a5-92e81ce3d6f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ah**.jw\ ]Ɋ&  !jw\. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b31735bf-c61a-4e10-a0a5-92e81ce3d6f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=a6b63fb6-74d3-49f9-bd19-1d31053c75bb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= fa**.jw\ ]Ɋ& !jw\. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b31735bf-c61a-4e10-a0a5-92e81ce3d6f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=a6b63fb6-74d3-49f9-bd19-1d31053c75bb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **H.}\ ]Ɋ& !X}\. F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=414673c0-7d7c-4458-8167-efd0764157d9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iH**`.}\ ]Ɋ& !X}\. F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=414673c0-7d7c-4458-8167-efd0764157d9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e`**`.}\ ]Ɋ& !X}\. F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=414673c0-7d7c-4458-8167-efd0764157d9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t 0`**X.}\ ]Ɋ& !X}\. F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=414673c0-7d7c-4458-8167-efd0764157d9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= HX**X.}\ ]Ɋ& !X}\. F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=414673c0-7d7c-4458-8167-efd0764157d9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== $X**X.}\ ]Ɋ& !X}\. F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=414673c0-7d7c-4458-8167-efd0764157d9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**.}\ ]Ɋ& !}\. F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=414673c0-7d7c-4458-8167-efd0764157d9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=53fe4e7c-6756-4540-9fbc-55e9cd44af0e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t **X.<\ ]Ɋ&  !X<\. F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=642ab117-35be-4cb5-a7dc-dde266153135 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**p.<\ ]Ɋ&  !X<\. F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=642ab117-35be-4cb5-a7dc-dde266153135 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sSpvers += $dns ]Ɋ& doX<\. F&Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ow yle Hidden - ]Ɋ& pso[. F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o`andPath= CommandLine= ElfChnk....X\&8Mu=VysMc&&**p.<\ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! Q!X<\. F&F%g>9{p(xlMD EventDatauoData !Binary FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=642ab117-35be-4cb5-a7dc-dde266153135 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Cp**h.<\ ]Ɋ&  !X<\. F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=642ab117-35be-4cb5-a7dc-dde266153135 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ionPh**h.<\ ]Ɋ&  !X<\. F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=642ab117-35be-4cb5-a7dc-dde266153135 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== h**h.<\ ]Ɋ&  !X<\. F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=642ab117-35be-4cb5-a7dc-dde266153135 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 h**.<\ ]Ɋ&  !<\. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=642ab117-35be-4cb5-a7dc-dde266153135 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ed828279-a410-4593-85c7-2e99e09e601e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H e**.<\ ]Ɋ& !<\. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=642ab117-35be-4cb5-a7dc-dde266153135 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ed828279-a410-4593-85c7-2e99e09e601e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=G** .<\ ]Ɋ& w !X<\. F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e81118b7-ee65-40a6-bc9a-faaf644f983e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=v **8.<\ ]Ɋ&  !X<\. F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e81118b7-ee65-40a6-bc9a-faaf644f983e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=N8**8.<\ ]Ɋ&  !X<\. F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e81118b7-ee65-40a6-bc9a-faaf644f983e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { 8**0.<\ ]Ɋ&  !X<\. F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e81118b7-ee65-40a6-bc9a-faaf644f983e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SIG0**0.<\ ]Ɋ&  !X<\. F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e81118b7-ee65-40a6-bc9a-faaf644f983e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0.<\ ]Ɋ&  !X<\. F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e81118b7-ee65-40a6-bc9a-faaf644f983e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -0**.ҏ\ ]Ɋ&  !ҏ\. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e81118b7-ee65-40a6-bc9a-faaf644f983e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=39883c72-6b6d-4aec-b150-5299a8dcf4a2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ra**.ҏ\ ]Ɋ&  !ҏ\. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=e81118b7-ee65-40a6-bc9a-faaf644f983e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=39883c72-6b6d-4aec-b150-5299a8dcf4a2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== **.i(\ ]Ɋ&  !Xi(\. F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ade5ea5e-d422-45ce-b978-13df9e1cbfc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pro**.i(\ ]Ɋ&  !Xi(\. F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ade5ea5e-d422-45ce-b978-13df9e1cbfc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te=S**.i(\ ]Ɋ& !Xi(\. F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ade5ea5e-d422-45ce-b978-13df9e1cbfc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=relt = @{  ]Ɋ& iqXi(\. F&Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ow yle Hidden - ]Ɋ& pso[. F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o`andPath= CommandLine= ElfChnk....0`0('[Mu=VysMc&&**.i(\ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !Xi(\. F&F%g>9{p(xlMD EventDatauoData !Binary FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ade5ea5e-d422-45ce-b978-13df9e1cbfc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**.i(\ ]Ɋ&  !Xi(\. F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ade5ea5e-d422-45ce-b978-13df9e1cbfc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**.i(\ ]Ɋ&  !Xi(\. F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ade5ea5e-d422-45ce-b978-13df9e1cbfc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**.i(\ ]Ɋ& O!i(\. F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ade5ea5e-d422-45ce-b978-13df9e1cbfc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=f821dbb4-550d-4ca2-a498-88d0e3137e82 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **.i(\ ]Ɋ&  !i(\. F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=414673c0-7d7c-4458-8167-efd0764157d9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=53fe4e7c-6756-4540-9fbc-55e9cd44af0e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=CT:$**.i(\ ]Ɋ& [!i(\. F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ade5ea5e-d422-45ce-b978-13df9e1cbfc5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=f821dbb4-550d-4ca2-a498-88d0e3137e82 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=)" **8 .T\ ]Ɋ&  !XT\. F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=be93214b-9b89-4f13-b223-1a98db0acb52 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=et8 **P .T\ ]Ɋ&  !XT\. F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=be93214b-9b89-4f13-b223-1a98db0acb52 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=etP **P .T\ ]Ɋ&  !XT\. F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=be93214b-9b89-4f13-b223-1a98db0acb52 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nce P **H .T\ ]Ɋ&  !XT\. F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=be93214b-9b89-4f13-b223-1a98db0acb52 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3e H **H .T\ ]Ɋ&  !XT\. F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=be93214b-9b89-4f13-b223-1a98db0acb52 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==StaH **H .T\ ]Ɋ&  !XT\. F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=be93214b-9b89-4f13-b223-1a98db0acb52 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H ** .T\ ]Ɋ&  !T\. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=be93214b-9b89-4f13-b223-1a98db0acb52 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=cdfccec0-8a3a-43a6-aa27-f58eca9624f6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C ** .T\ ]Ɋ&  !T\. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=be93214b-9b89-4f13-b223-1a98db0acb52 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=cdfccec0-8a3a-43a6-aa27-f58eca9624f6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 ** .T\ ]Ɋ& w !XT\. F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d4c4f064-9377-4f9d-9ddf-6a0ada35efb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=# **8.T\ ]Ɋ&  !XT\. F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d4c4f064-9377-4f9d-9ddf-6a0ada35efb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8.T\ ]Ɋ&  !XT\. F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d4c4f064-9377-4f9d-9ddf-6a0ada35efb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=igg8**0.T\ ]Ɋ&  !XT\. F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d4c4f064-9377-4f9d-9ddf-6a0ada35efb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s) 0@($bootTrigg ]Ɋ& TrXT\. F&on Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=relt = @{  ]Ɋ& iqXi(\. F&Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ow yle Hidden - ]Ɋ& pso[. F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o`andPath= CommandLine= ElfChnk.....+Mu=VysMc&&**0.T\ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XT\. F&F%g>9{p(xlMD EventDatauoData !Binary` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d4c4f064-9377-4f9d-9ddf-6a0ada35efb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0.T\ ]Ɋ&  !XT\. F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d4c4f064-9377-4f9d-9ddf-6a0ada35efb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**.T\ ]Ɋ&  !T\. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d4c4f064-9377-4f9d-9ddf-6a0ada35efb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=70f4f3e6-9765-4119-af23-8c1ae74958f2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oo**.\ ]Ɋ&  !\. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=d4c4f064-9377-4f9d-9ddf-6a0ada35efb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=70f4f3e6-9765-4119-af23-8c1ae74958f2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Coul**.\ ]Ɋ& K!X\. F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=45b0ccd3-68ff-428d-9b45-b130aa5fa3d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== **.\ ]Ɋ& c!X\. F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=45b0ccd3-68ff-428d-9b45-b130aa5fa3d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gs **.\ ]Ɋ& _!X\. F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=45b0ccd3-68ff-428d-9b45-b130aa5fa3d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**.\ ]Ɋ& W!X\. F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=45b0ccd3-68ff-428d-9b45-b130aa5fa3d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**.\ ]Ɋ& W!X\. F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=45b0ccd3-68ff-428d-9b45-b130aa5fa3d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=)**.\ ]Ɋ& Y!X\. F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=45b0ccd3-68ff-428d-9b45-b130aa5fa3d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Name**X.\ ]Ɋ& !\. F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=45b0ccd3-68ff-428d-9b45-b130aa5fa3d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=9e42bb56-91c5-469d-86e7-4104a66b848a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ifX**`.\ ]Ɋ& !\. F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=45b0ccd3-68ff-428d-9b45-b130aa5fa3d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=9e42bb56-91c5-469d-86e7-4104a66b848a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Na`** .\ ]Ɋ& w !X\. F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ecd7254f-113d-44b5-b5ce-851809601048 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H **8.\ ]Ɋ&  !X\. F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ecd7254f-113d-44b5-b5ce-851809601048 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8.\ ]Ɋ&  !X\. F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ecd7254f-113d-44b5-b5ce-851809601048 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ft\8**0.\ ]Ɋ&  !X\. F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ecd7254f-113d-44b5-b5ce-851809601048 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Fi0**0.\ ]Ɋ&  !X\. F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ecd7254f-113d-44b5-b5ce-851809601048 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if 0**0.\ ]Ɋ&  !X\. F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ecd7254f-113d-44b5-b5ce-851809601048 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=et0**.\ ]Ɋ&  !\. F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ecd7254f-113d-44b5-b5ce-851809601048 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=87f1dd6c-5488-43ca-a82a-b893fc7c0503 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.I**.\ ]Ɋ&  !\. F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=ecd7254f-113d-44b5-b5ce-851809601048 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=87f1dd6c-5488-43ca-a82a-b893fc7c0503 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e | ** .J\ ]Ɋ&  !XJ\. F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5d33db92-1c43-450a-80c9-4661ff315b3a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9 ** .J\ ]Ɋ&  !XJ\. F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5d33db92-1c43-450a-80c9-4661ff315b3a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=O ** .J\ ]Ɋ&  !XJ\. F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5d33db92-1c43-450a-80c9-4661ff315b3a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk. /. /@@IJMu=VysMc&&** .J\ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !XJ\. F&F%g>9{p(xlMD EventDatauoData !BinaryFunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5d33db92-1c43-450a-80c9-4661ff315b3a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** .J\ ]Ɋ&  !XJ\. F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5d33db92-1c43-450a-80c9-4661ff315b3a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rea ** .J\ ]Ɋ&  !XJ\. F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5d33db92-1c43-450a-80c9-4661ff315b3a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ne ** .J\ ]Ɋ& e !J\. F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5d33db92-1c43-450a-80c9-4661ff315b3a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=86f731a5-3180-4227-921f-bee9f973d066 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=je **X.J\ ]Ɋ&  !XJ\. F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6ec12cca-015a-41e7-81f6-8c6956826606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_.X**p.J\ ]Ɋ&  !XJ\. F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6ec12cca-015a-41e7-81f6-8c6956826606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ep**p.J\ ]Ɋ&  !XJ\. F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6ec12cca-015a-41e7-81f6-8c6956826606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==Regp**h/J\ ]Ɋ&  !XJ\/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6ec12cca-015a-41e7-81f6-8c6956826606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ediah**h/J\ ]Ɋ&  !XJ\/ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6ec12cca-015a-41e7-81f6-8c6956826606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=yConh**h/J\ ]Ɋ&  !XJ\/ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6ec12cca-015a-41e7-81f6-8c6956826606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ch h**/J\ ]Ɋ&  !J\/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6ec12cca-015a-41e7-81f6-8c6956826606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=84e7d531-1610-47eb-bbc7-a3e1b3f2dca9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tAd**/J\ ]Ɋ& !J\/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6ec12cca-015a-41e7-81f6-8c6956826606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=84e7d531-1610-47eb-bbc7-a3e1b3f2dca9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u**X/J\ ]Ɋ&  !XJ\/ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=36672360-4d90-44fe-9dc3-4e2fbaf735fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-FX**p/J\ ]Ɋ&  !XJ\/ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=36672360-4d90-44fe-9dc3-4e2fbaf735fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -p**p/J\ ]Ɋ&  !XJ\/ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=36672360-4d90-44fe-9dc3-4e2fbaf735fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d $ap**h/J\ ]Ɋ&  !XJ\/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=36672360-4d90-44fe-9dc3-4e2fbaf735fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ter.h**h /J\ ]Ɋ&  !XJ\ / F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=36672360-4d90-44fe-9dc3-4e2fbaf735fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t = h**h /J\ ]Ɋ&  !XJ\ / F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=36672360-4d90-44fe-9dc3-4e2fbaf735fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Verhon=4.0 Hos ]Ɋ& ApJ\ / F&rofile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk /)/ /)/@GM=dG>Mu=VysMc&&** /J\ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !J\ / F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=36672360-4d90-44fe-9dc3-4e2fbaf735fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=eed0a9f6-4dc8-4f8f-b503-f52d8a70ea99 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** /J\ ]Ɋ& q !J\ / F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5d33db92-1c43-450a-80c9-4661ff315b3a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=86f731a5-3180-4227-921f-bee9f973d066 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rs + ** /J\ ]Ɋ& !J\ / F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=36672360-4d90-44fe-9dc3-4e2fbaf735fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=eed0a9f6-4dc8-4f8f-b503-f52d8a70ea99 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**/ඇ\ ]Ɋ& 7!Xඇ\/ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b3c1f6e9-fe9b-483a-aadf-4343c19d02a1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.**/ඇ\ ]Ɋ& O!Xඇ\/ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b3c1f6e9-fe9b-483a-aadf-4343c19d02a1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**/ඇ\ ]Ɋ& K!Xඇ\/ F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b3c1f6e9-fe9b-483a-aadf-4343c19d02a1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **/ඇ\ ]Ɋ& C!Xඇ\/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b3c1f6e9-fe9b-483a-aadf-4343c19d02a1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **/ඇ\ ]Ɋ& C!Xඇ\/ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b3c1f6e9-fe9b-483a-aadf-4343c19d02a1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ovi**/ඇ\ ]Ɋ& E!Xඇ\/ F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b3c1f6e9-fe9b-483a-aadf-4343c19d02a1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s **@/ඇ\ ]Ɋ& !ඇ\/ F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b3c1f6e9-fe9b-483a-aadf-4343c19d02a1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=3aeb3736-4d34-4015-90bb-28b183cfc530 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @**P/ඇ\ ]Ɋ& !ඇ\/ F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b3c1f6e9-fe9b-483a-aadf-4343c19d02a1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=3aeb3736-4d34-4015-90bb-28b183cfc530 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GE:$P**H/@e0] ]Ɋ& !X@e0]/ F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7a7654a4-690a-4696-9cce-0121a029c150 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tH**`/@e0] ]Ɋ& !X@e0]/ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7a7654a4-690a-4696-9cce-0121a029c150 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`/@e0] ]Ɋ& !X@e0]/ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7a7654a4-690a-4696-9cce-0121a029c150 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PTU`**X/@e0] ]Ɋ& !X@e0]/ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7a7654a4-690a-4696-9cce-0121a029c150 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=29.X**X/@e0] ]Ɋ& !X@e0]/ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7a7654a4-690a-4696-9cce-0121a029c150 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-OuX**X/@e0] ]Ɋ& !X@e0]/ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7a7654a4-690a-4696-9cce-0121a029c150 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e X**/@e0] ]Ɋ& !@e0]/ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7a7654a4-690a-4696-9cce-0121a029c150 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=01fd3f3f-f618-4eff-8664-d51c38ecde67 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Va**/$8] ]Ɋ& K!X$8]/ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a36bbffd-da78-419b-a5e2-a8010adcc8c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=OR:**/$8] ]Ɋ& c!X$8]/ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a36bbffd-da78-419b-a5e2-a8010adcc8c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Ou**/$8] ]Ɋ& _!X$8]/ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a36bbffd-da78-419b-a5e2-a8010adcc8c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a** /$8] ]Ɋ& W!X$8] / F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a36bbffd-da78-419b-a5e2-a8010adcc8c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f**!/$8] ]Ɋ& W!X$8]!/ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a36bbffd-da78-419b-a5e2-a8010adcc8c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**"/$8] ]Ɋ& Y!X$8]"/ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a36bbffd-da78-419b-a5e2-a8010adcc8c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=neId**X#/$8] ]Ɋ& !$8]#/ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a36bbffd-da78-419b-a5e2-a8010adcc8c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=fa3ebd50-22f4-439c-91f7-93706788f716 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**`$/$8] ]Ɋ& !$8]$/ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a36bbffd-da78-419b-a5e2-a8010adcc8c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=fa3ebd50-22f4-439c-91f7-93706788f716 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=k `** %/{8] ]Ɋ& w !X{8]%/ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0769bf38-00ac-41b6-80f6-cb7e5ab2d724 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ **8&/{8] ]Ɋ&  !X{8]&/ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0769bf38-00ac-41b6-80f6-cb7e5ab2d724 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8'/{8] ]Ɋ&  !X{8]'/ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0769bf38-00ac-41b6-80f6-cb7e5ab2d724 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { 8**0(/{8] ]Ɋ&  !X{8](/ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0769bf38-00ac-41b6-80f6-cb7e5ab2d724 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edK0**0)/{8] ]Ɋ&  !X{8])/ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0769bf38-00ac-41b6-80f6-cb7e5ab2d724 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0$ekus = $eku ]Ɋ& alX{8]*/ F& } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Verhon=4.0 Hos ]Ɋ& ApJ\ / F&rofile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk*/K/*/K/yEεMu=VysMc&&**8*/{8] ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X{8]*/ F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0769bf38-00ac-41b6-80f6-cb7e5ab2d724 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ame8**+/{8] ]Ɋ&  !{8]+/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0769bf38-00ac-41b6-80f6-cb7e5ab2d724 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=9dbb8932-02a0-4c30-9e62-f50fa82b1e65 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=si**,/{8] ]Ɋ&  !{8],/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=0769bf38-00ac-41b6-80f6-cb7e5ab2d724 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=9dbb8932-02a0-4c30-9e62-f50fa82b1e65 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** -/V9] ]Ɋ&  !XV9]-/ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f63d9403-db6c-49b2-a6ef-a0afeb8725f0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o ** ./V9] ]Ɋ&  !XV9]./ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f63d9403-db6c-49b2-a6ef-a0afeb8725f0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o ** //V9] ]Ɋ&  !XV9]// F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f63d9403-db6c-49b2-a6ef-a0afeb8725f0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$_. ** 0/V9] ]Ɋ&  !XV9]0/ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f63d9403-db6c-49b2-a6ef-a0afeb8725f0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ppe ** 1/V9] ]Ɋ&  !XV9]1/ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f63d9403-db6c-49b2-a6ef-a0afeb8725f0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e= ** 2/V9] ]Ɋ&  !XV9]2/ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f63d9403-db6c-49b2-a6ef-a0afeb8725f0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er ** 3/V9] ]Ɋ& e !V9]3/ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f63d9403-db6c-49b2-a6ef-a0afeb8725f0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=a5cec39f-a6e5-4c03-ad7c-a9023de2d1ee PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rs ** 4/V9] ]Ɋ& q !V9]4/ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f63d9403-db6c-49b2-a6ef-a0afeb8725f0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=a5cec39f-a6e5-4c03-ad7c-a9023de2d1ee PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-or **5/V9] ]Ɋ& 7!XV9]5/ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=02de2212-93dc-4266-a2ba-a621c5201632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **6/V9] ]Ɋ& O!XV9]6/ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=02de2212-93dc-4266-a2ba-a621c5201632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-**7/V9] ]Ɋ& K!XV9]7/ F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=02de2212-93dc-4266-a2ba-a621c5201632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Wh**8/V9] ]Ɋ& C!XV9]8/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=02de2212-93dc-4266-a2ba-a621c5201632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=alD**9/V9] ]Ɋ& C!XV9]9/ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=02de2212-93dc-4266-a2ba-a621c5201632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n32**:/V9] ]Ɋ& E!XV9]:/ F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=02de2212-93dc-4266-a2ba-a621c5201632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct**@;/V9] ]Ɋ& !V9];/ F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=02de2212-93dc-4266-a2ba-a621c5201632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=a5438d6e-08b3-4f71-857a-89c9d83ea19d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mm@**P/5] ]Ɋ& !X5]>/ F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=96fa5baa-952b-4479-8833-28ebf02d7839 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-H**`?/5] ]Ɋ& !X5]?/ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=96fa5baa-952b-4479-8833-28ebf02d7839 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-`**`@/5] ]Ɋ& !X5]@/ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=96fa5baa-952b-4479-8833-28ebf02d7839 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ue `**XA/5] ]Ɋ& !X5]A/ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=96fa5baa-952b-4479-8833-28ebf02d7839 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=AddX**XB/5] ]Ɋ& !X5]B/ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=96fa5baa-952b-4479-8833-28ebf02d7839 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= PrX**XC/5] ]Ɋ& !X5]C/ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=96fa5baa-952b-4479-8833-28ebf02d7839 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**D/5] ]Ɋ& !5]D/ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=96fa5baa-952b-4479-8833-28ebf02d7839 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=8e591ade-f3da-4eea-b7c9-77009157d554 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=la**E/B] ]Ɋ& K!XB]E/ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f7396472-2127-477d-a723-be4e4ed967e4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hos**F/B] ]Ɋ& c!XB]F/ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f7396472-2127-477d-a723-be4e4ed967e4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **G/B] ]Ɋ& _!XB]G/ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f7396472-2127-477d-a723-be4e4ed967e4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**H/B] ]Ɋ& W!XB]H/ F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f7396472-2127-477d-a723-be4e4ed967e4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **I/B] ]Ɋ& W!XB]I/ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f7396472-2127-477d-a723-be4e4ed967e4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u**J/B] ]Ɋ& Y!XB]J/ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f7396472-2127-477d-a723-be4e4ed967e4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on**XK/B] ]Ɋ& !B]K/ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f7396472-2127-477d-a723-be4e4ed967e4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b2e0ea73-51ae-4bb9-b70d-f4cc20346696 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tTo-Xon -Compress ]Ɋ& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnkL/d/L/d/(xb۵Mu=VysMc&&**h L/B] ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! E!B]L/ F&F%g>9{p(xlMD EventDatauoData !BinaryStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f7396472-2127-477d-a723-be4e4ed967e4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b2e0ea73-51ae-4bb9-b70d-f4cc20346696 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Conh ** M/ٍ] ]Ɋ& w !Xٍ]M/ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0cc16520-19a4-4c16-9d63-0c54ce2426bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S **8N/ٍ] ]Ɋ&  !Xٍ]N/ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0cc16520-19a4-4c16-9d63-0c54ce2426bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**8O/ٍ] ]Ɋ&  !Xٍ]O/ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0cc16520-19a4-4c16-9d63-0c54ce2426bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ge8**0P/ٍ] ]Ɋ&  !Xٍ]P/ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0cc16520-19a4-4c16-9d63-0c54ce2426bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0Q/ٍ] ]Ɋ&  !Xٍ]Q/ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0cc16520-19a4-4c16-9d63-0c54ce2426bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ssF0**0R/ٍ] ]Ɋ&  !Xٍ]R/ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0cc16520-19a4-4c16-9d63-0c54ce2426bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**S/ٍ] ]Ɋ&  !ٍ]S/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0cc16520-19a4-4c16-9d63-0c54ce2426bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=de124562-1b0c-4d45-b27e-0b679d45aae5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ge**T/ٍ] ]Ɋ&  !ٍ]T/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=0cc16520-19a4-4c16-9d63-0c54ce2426bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=de124562-1b0c-4d45-b27e-0b679d45aae5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=":""** U/o&] ]Ɋ&  !Xo&]U/ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0f4a7049-846e-41d4-821b-9c702a9ffa88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x ** V/o&] ]Ɋ&  !Xo&]V/ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0f4a7049-846e-41d4-821b-9c702a9ffa88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** W/o&] ]Ɋ&  !Xo&]W/ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0f4a7049-846e-41d4-821b-9c702a9ffa88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rfa ** X/o&] ]Ɋ&  !Xo&]X/ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0f4a7049-846e-41d4-821b-9c702a9ffa88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-42 ** Y/o&] ]Ɋ&  !Xo&]Y/ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0f4a7049-846e-41d4-821b-9c702a9ffa88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9c9 ** Z/o&] ]Ɋ&  !Xo&]Z/ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0f4a7049-846e-41d4-821b-9c702a9ffa88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Li ** [/o&] ]Ɋ& e !o&][/ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0f4a7049-846e-41d4-821b-9c702a9ffa88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=da9acd19-a4d8-43a8-b4b2-903d0fb8a2f7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ta ** \/o&] ]Ɋ& q !o&]\/ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0f4a7049-846e-41d4-821b-9c702a9ffa88 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=da9acd19-a4d8-43a8-b4b2-903d0fb8a2f7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cuti **]/o&] ]Ɋ& 7!Xo&]]/ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=234349a3-8e8b-4008-8c05-f3b18605951b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**^/o&] ]Ɋ& O!Xo&]^/ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=234349a3-8e8b-4008-8c05-f3b18605951b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**_/o&] ]Ɋ& K!Xo&]_/ F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=234349a3-8e8b-4008-8c05-f3b18605951b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nam**`/o&] ]Ɋ& C!Xo&]`/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=234349a3-8e8b-4008-8c05-f3b18605951b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eId**a/o&] ]Ɋ& C!Xo&]a/ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=234349a3-8e8b-4008-8c05-f3b18605951b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pi**b/o&] ]Ɋ& E!Xo&]b/ F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=234349a3-8e8b-4008-8c05-f3b18605951b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ce**@c/] ]Ɋ& !]c/ F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=234349a3-8e8b-4008-8c05-f3b18605951b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=21cbfd00-99e5-4a9b-baa3-dcbf2e3b8735 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@**Pd/] ]Ɋ& !]d/ F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=234349a3-8e8b-4008-8c05-f3b18605951b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=21cbfd00-99e5-4a9b-baa3-dcbf2e3b8735 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mandPme= Comman ]Ɋ& ne]e/ F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnke/z/e/z/`)xMu=VysMc&&**e/] ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !]e/ F&F%g>9{p(xlMD EventDatauoData !BinaryStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=96fa5baa-952b-4479-8833-28ebf02d7839 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=8e591ade-f3da-4eea-b7c9-77009157d554 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **Xf/^ ]Ɋ&  !X^f/ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4e80d5c9-b06e-41ea-b887-217c245cc5c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=g.X**pg/^ ]Ɋ&  !X^g/ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4e80d5c9-b06e-41ea-b887-217c245cc5c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= p**ph/^ ]Ɋ&  !X^h/ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4e80d5c9-b06e-41ea-b887-217c245cc5c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { $p**hi/^ ]Ɋ&  !X^i/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4e80d5c9-b06e-41ea-b887-217c245cc5c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ruh**hj/^ ]Ɋ&  !X^j/ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4e80d5c9-b06e-41ea-b887-217c245cc5c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Coh**hk/^ ]Ɋ&  !X^k/ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4e80d5c9-b06e-41ea-b887-217c245cc5c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== h**l/^ ]Ɋ&  !^l/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4e80d5c9-b06e-41ea-b887-217c245cc5c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=df6e222e-654b-4ead-bd38-b450b175f558 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h= **m/^ ]Ɋ& !^m/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4e80d5c9-b06e-41ea-b887-217c245cc5c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=df6e222e-654b-4ead-bd38-b450b175f558 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**Hn/^ ]Ɋ& !X^n/ F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=99dfe2a6-448e-49a9-920a-c0800c322a41 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eH**`o/^ ]Ɋ& !X^o/ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=99dfe2a6-448e-49a9-920a-c0800c322a41 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`p/^ ]Ɋ& !X^p/ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=99dfe2a6-448e-49a9-920a-c0800c322a41 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$_.`**Xq/^ ]Ɋ& !X^q/ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=99dfe2a6-448e-49a9-920a-c0800c322a41 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=domX**Xr/^ ]Ɋ& !X^r/ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=99dfe2a6-448e-49a9-920a-c0800c322a41 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=icaX**Xs/^ ]Ɋ& !X^s/ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=99dfe2a6-448e-49a9-920a-c0800c322a41 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=InX**t/^ ]Ɋ& !^t/ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=99dfe2a6-448e-49a9-920a-c0800c322a41 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=b1628a6c-9922-49ec-98c0-df0765d326d4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ho**Xu/Vh^ ]Ɋ&  !XVh^u/ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=214c0d39-9973-4403-8e1a-e0993f98fcfd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rIX**pv/Vh^ ]Ɋ&  !XVh^v/ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=214c0d39-9973-4403-8e1a-e0993f98fcfd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=vap**pw/Vh^ ]Ɋ&  !XVh^w/ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=214c0d39-9973-4403-8e1a-e0993f98fcfd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s +=p**hx/Vh^ ]Ɋ&  !XVh^x/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=214c0d39-9973-4403-8e1a-e0993f98fcfd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Seleh**hy/Vh^ ]Ɋ&  !XVh^y/ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=214c0d39-9973-4403-8e1a-e0993f98fcfd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**hz/Vh^ ]Ɋ&  !XVh^z/ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=214c0d39-9973-4403-8e1a-e0993f98fcfd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=manh try {  ]Ɋ& nrVh^{/ F&dress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=21cbfd00-99e5-4a9b-baa3-dcbf2e3b8735 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@**Pd/] ]Ɋ& !]d/ F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=234349a3-8e8b-4008-8c05-f3b18605951b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=21cbfd00-99e5-4a9b-baa3-dcbf2e3b8735 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mandPme= Comman ]Ɋ& ne]e/ F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk{//{//V/Mu=VysMc&&**{/Vh^ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !Vh^{/ F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=214c0d39-9973-4403-8e1a-e0993f98fcfd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ee2c3641-47dd-4167-8808-d4acda4ab5ac PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**|/Vh^ ]Ɋ& !Vh^|/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=214c0d39-9973-4403-8e1a-e0993f98fcfd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ee2c3641-47dd-4167-8808-d4acda4ab5ac PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s** }/^ ]Ɋ& w !X^}/ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=36ea88d0-3b36-477d-8450-87643b236a9b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C **8~/^ ]Ɋ&  !X^~/ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=36ea88d0-3b36-477d-8450-87643b236a9b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c8**8/^ ]Ɋ&  !X^/ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=36ea88d0-3b36-477d-8450-87643b236a9b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**0/^ ]Ɋ&  !X^/ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=36ea88d0-3b36-477d-8450-87643b236a9b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0/^ ]Ɋ&  !X^/ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=36ea88d0-3b36-477d-8450-87643b236a9b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @(0**0/^ ]Ɋ&  !X^/ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=36ea88d0-3b36-477d-8450-87643b236a9b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ 0**/^ ]Ɋ&  !^/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=36ea88d0-3b36-477d-8450-87643b236a9b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=29bbe712-bd27-42e6-b95c-007639111041 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dP**/^ ]Ɋ&  !^/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=36ea88d0-3b36-477d-8450-87643b236a9b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=29bbe712-bd27-42e6-b95c-007639111041 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **/^ ]Ɋ&  !X^/ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c245c895-94a7-4043-860e-d987cbc9df0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= if**/^ ]Ɋ&  !X^/ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c245c895-94a7-4043-860e-d987cbc9df0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sig.**/^ ]Ɋ& !X^/ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c245c895-94a7-4043-860e-d987cbc9df0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rt**/^ ]Ɋ&  !X^/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c245c895-94a7-4043-860e-d987cbc9df0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **/^ ]Ɋ&  !X^/ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c245c895-94a7-4043-860e-d987cbc9df0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ge**/^ ]Ɋ&  !X^/ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c245c895-94a7-4043-860e-d987cbc9df0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **/^ ]Ɋ& O!^/ F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c245c895-94a7-4043-860e-d987cbc9df0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=97b25f22-14e6-474a-aade-4f64e560e577 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-bf2e3b8735  ]Ɋ& ri2^/ F&andLine=mandPme= Comman ]Ɋ& ne]e/ F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk////8p%} Mu=VysMc&&**/2^ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !2^/ F&F%g>9{p(xlMD EventDatauoData !Binary8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c245c895-94a7-4043-860e-d987cbc9df0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=97b25f22-14e6-474a-aade-4f64e560e577 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**/ŝ^ ]Ɋ& K!Xŝ^/ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3e24dbce-c7cb-4109-9976-a09f2d6474cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Su**/ŝ^ ]Ɋ& c!Xŝ^/ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3e24dbce-c7cb-4109-9976-a09f2d6474cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **/ŝ^ ]Ɋ& _!Xŝ^/ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3e24dbce-c7cb-4109-9976-a09f2d6474cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**/ŝ^ ]Ɋ& W!Xŝ^/ F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3e24dbce-c7cb-4109-9976-a09f2d6474cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **/ŝ^ ]Ɋ& W!Xŝ^/ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3e24dbce-c7cb-4109-9976-a09f2d6474cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **/ŝ^ ]Ɋ& Y!Xŝ^/ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3e24dbce-c7cb-4109-9976-a09f2d6474cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X/ŝ^ ]Ɋ& !ŝ^/ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3e24dbce-c7cb-4109-9976-a09f2d6474cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=cc67de9e-3de4-4520-81da-0b28d36ee6f9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ScX**`/ŝ^ ]Ɋ& !ŝ^/ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=3e24dbce-c7cb-4109-9976-a09f2d6474cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=cc67de9e-3de4-4520-81da-0b28d36ee6f9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=de`** /7^^ ]Ɋ& w !X7^^/ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b7b92b93-d64d-4141-9aff-090818cbb420 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **8/7^^ ]Ɋ&  !X7^^/ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b7b92b93-d64d-4141-9aff-090818cbb420 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**8/7^^ ]Ɋ&  !X7^^/ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b7b92b93-d64d-4141-9aff-090818cbb420 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ind8**0/7^^ ]Ɋ&  !X7^^/ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b7b92b93-d64d-4141-9aff-090818cbb420 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eIn0**0/7^^ ]Ɋ&  !X7^^/ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b7b92b93-d64d-4141-9aff-090818cbb420 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0/7^^ ]Ɋ&  !X7^^/ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b7b92b93-d64d-4141-9aff-090818cbb420 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le0**/7^^ ]Ɋ&  !7^^/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b7b92b93-d64d-4141-9aff-090818cbb420 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=79fe8880-230d-4ee0-adec-a63cfb1c3d15 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=an**/^ ]Ɋ&  !^/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=b7b92b93-d64d-4141-9aff-090818cbb420 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=79fe8880-230d-4ee0-adec-a63cfb1c3d15 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Inte**`/"^ ]Ɋ& !X"^/ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f719914c-1cbf-44e2-b823-1884cdae0e18 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-lsgwbwi0.ku1.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -`**x/"^ ]Ɋ& !X"^/ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f719914c-1cbf-44e2-b823-1884cdae0e18 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-lsgwbwi0.ku1.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Rx**p/"^ ]Ɋ& !X"^/ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f719914c-1cbf-44e2-b823-1884cdae0e18 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-lsgwbwi0.ku1.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-p**h/"^ ]Ɋ& !X"^/ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f719914c-1cbf-44e2-b823-1884cdae0e18 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-lsgwbwi0.ku1.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=kh**h/"^ ]Ɋ& !X"^/ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f719914c-1cbf-44e2-b823-1884cdae0e18 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-lsgwbwi0.ku1.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sh**p/"^ ]Ɋ& !X"^/ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f719914c-1cbf-44e2-b823-1884cdae0e18 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-lsgwbwi0.ku1.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tAppp**/"^ ]Ɋ& !"^/ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f719914c-1cbf-44e2-b823-1884cdae0e18 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-lsgwbwi0.ku1.ps1 EngineVersion=4.0 RunspaceId=217deca6-7826-4be4-92a2-2909268201e2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= tas**/"^ ]Ɋ& !"^/ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=f719914c-1cbf-44e2-b823-1884cdae0e18 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-lsgwbwi0.ku1.ps1 EngineVersion=4.0 RunspaceId=217deca6-7826-4be4-92a2-2909268201e2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oo** /"^ ]Ɋ& w !X"^/ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ee6c326e-be6c-482d-8914-9e916e5e415f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **8/"^ ]Ɋ&  !X"^/ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ee6c326e-be6c-482d-8914-9e916e5e415f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8minutes afte ]Ɋ& r.X"^/ F&rs = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=97b25f22-14e6-474a-aade-4f64e560e577 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-bf2e3b8735  ]Ɋ& ri2^/ F&andLine=mandPme= Comman ]Ɋ& ne]e/ F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk////0Hb5=hMu=VysMc&&**8/"^ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X"^/ F&F%g>9{p(xlMD EventDatauoData !Binaryh FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ee6c326e-be6c-482d-8914-9e916e5e415f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**0/"^ ]Ɋ&  !X"^/ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ee6c326e-be6c-482d-8914-9e916e5e415f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0/"^ ]Ɋ&  !X"^/ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ee6c326e-be6c-482d-8914-9e916e5e415f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -o0**0/"^ ]Ɋ&  !X"^/ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ee6c326e-be6c-482d-8914-9e916e5e415f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=el0**/"^ ]Ɋ&  !"^/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ee6c326e-be6c-482d-8914-9e916e5e415f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=19d673a6-37a6-49d7-b049-6019dafa9d71 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **/^ ]Ɋ&  !^/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=ee6c326e-be6c-482d-8914-9e916e5e415f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=19d673a6-37a6-49d7-b049-6019dafa9d71 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=brea** /^ ]Ɋ&  !X^/ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e322da55-8c1b-4816-b265-6d80a1df71a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti ** /^ ]Ɋ&  !X^/ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e322da55-8c1b-4816-b265-6d80a1df71a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti ** /^ ]Ɋ&  !X^/ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e322da55-8c1b-4816-b265-6d80a1df71a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** ** /^ ]Ɋ&  !X^/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e322da55-8c1b-4816-b265-6d80a1df71a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rati ** /^ ]Ɋ&  !X^/ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e322da55-8c1b-4816-b265-6d80a1df71a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mac) ** /^ ]Ɋ&  !X^/ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e322da55-8c1b-4816-b265-6d80a1df71a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ue ** /^ ]Ɋ& ; !^/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e322da55-8c1b-4816-b265-6d80a1df71a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=cbdb3d01-fcb4-459b-8048-1dd9a67d201b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) { **/^ ]Ɋ&  !^/ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=99dfe2a6-448e-49a9-920a-c0800c322a41 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=b1628a6c-9922-49ec-98c0-df0765d326d4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** /T^ ]Ɋ& G !T^/ F&$ StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e322da55-8c1b-4816-b265-6d80a1df71a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=cbdb3d01-fcb4-459b-8048-1dd9a67d201b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t **X/E^ ]Ɋ&  !XE^/ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6159331a-7f80-48da-bf1f-e4f4a6284703 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=\vX**p/E^ ]Ɋ&  !XE^/ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6159331a-7f80-48da-bf1f-e4f4a6284703 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i0p**p/E^ ]Ɋ&  !XE^/ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6159331a-7f80-48da-bf1f-e4f4a6284703 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c) {p**h/E^ ]Ɋ&  !XE^/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6159331a-7f80-48da-bf1f-e4f4a6284703 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sionh RunspaceId ]Ɋ&  SXE^/ F&ommandLine= 8minutes afte ]Ɋ& r.X"^/ F&rs = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=97b25f22-14e6-474a-aade-4f64e560e577 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-bf2e3b8735  ]Ɋ& ri2^/ F&andLine=mandPme= Comman ]Ɋ& ne]e/ F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk////D?Mu=VysMc&&**h/E^ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!XE^/ F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6159331a-7f80-48da-bf1f-e4f4a6284703 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h/E^ ]Ɋ&  !XE^/ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6159331a-7f80-48da-bf1f-e4f4a6284703 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**/E^ ]Ɋ&  !E^/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6159331a-7f80-48da-bf1f-e4f4a6284703 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=fdf1214c-0a87-4d14-86b7-fbf377a87b4a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rov**/E^ ]Ɋ& !E^/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6159331a-7f80-48da-bf1f-e4f4a6284703 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=fdf1214c-0a87-4d14-86b7-fbf377a87b4a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** /E^ ]Ɋ& w !XE^/ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7eda6b2f-9aa5-42dc-9684-a6bd116998c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **8/E^ ]Ɋ&  !XE^/ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7eda6b2f-9aa5-42dc-9684-a6bd116998c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l8**8/E^ ]Ɋ&  !XE^/ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7eda6b2f-9aa5-42dc-9684-a6bd116998c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ew-8**0/E^ ]Ɋ&  !XE^/ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7eda6b2f-9aa5-42dc-9684-a6bd116998c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cat0**0/E^ ]Ɋ&  !XE^/ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7eda6b2f-9aa5-42dc-9684-a6bd116998c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { 0**0/E^ ]Ɋ&  !XE^/ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7eda6b2f-9aa5-42dc-9684-a6bd116998c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=0**/E^ ]Ɋ&  !E^/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7eda6b2f-9aa5-42dc-9684-a6bd116998c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=0013d9d8-ed67-4d4f-8d8e-dbf9da780532 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le**/^ ]Ɋ&  !^/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=7eda6b2f-9aa5-42dc-9684-a6bd116998c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=0013d9d8-ed67-4d4f-8d8e-dbf9da780532 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X/pذ^ ]Ɋ&  !Xpذ^/ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=34ac51d2-abdb-498e-a9f9-712fdf64d45f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $X**p/pذ^ ]Ɋ&  !Xpذ^/ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=34ac51d2-abdb-498e-a9f9-712fdf64d45f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $p**p/pذ^ ]Ɋ&  !Xpذ^/ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=34ac51d2-abdb-498e-a9f9-712fdf64d45f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $Erp**h/pذ^ ]Ɋ&  !Xpذ^/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=34ac51d2-abdb-498e-a9f9-712fdf64d45f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $Erh**h/pذ^ ]Ɋ&  !Xpذ^/ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=34ac51d2-abdb-498e-a9f9-712fdf64d45f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= - th repetition  ]Ɋ&  "Xpذ^/ F&rigger: $_" } EngineVersion=4.0 RunspaceId=97b25f22-14e6-474a-aade-4f64e560e577 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-bf2e3b8735  ]Ɋ& ri2^/ F&andLine=mandPme= Comman ]Ɋ& ne]e/ F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk////J3 rMu=VysMc&&**h/pذ^ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! K!Xpذ^/ F&F%g>9{p(xlMD EventDatauoData !Binary VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=34ac51d2-abdb-498e-a9f9-712fdf64d45f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**/pذ^ ]Ɋ&  !pذ^/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=34ac51d2-abdb-498e-a9f9-712fdf64d45f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=081ff871-8a65-4d2a-9e91-7a5be031a3e3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**/pذ^ ]Ɋ& !pذ^/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=34ac51d2-abdb-498e-a9f9-712fdf64d45f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=081ff871-8a65-4d2a-9e91-7a5be031a3e3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X/+^ ]Ɋ&  !X+^/ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c8b45fb8-56e9-42c3-89c5-161490962e78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=LiX**p/+^ ]Ɋ&  !X+^/ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c8b45fb8-56e9-42c3-89c5-161490962e78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**p/+^ ]Ɋ&  !X+^/ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c8b45fb8-56e9-42c3-89c5-161490962e78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h/+^ ]Ɋ&  !X+^/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c8b45fb8-56e9-42c3-89c5-161490962e78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h/+^ ]Ɋ&  !X+^/ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c8b45fb8-56e9-42c3-89c5-161490962e78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tarth**h/+^ ]Ɋ&  !X+^/ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c8b45fb8-56e9-42c3-89c5-161490962e78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**/+^ ]Ɋ&  !+^/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c8b45fb8-56e9-42c3-89c5-161490962e78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=8d2eb9ae-9699-4133-8ff5-4a5d54350396 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ole**/+^ ]Ɋ& !+^/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c8b45fb8-56e9-42c3-89c5-161490962e78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=8d2eb9ae-9699-4133-8ff5-4a5d54350396 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H** /2ļ^ ]Ɋ& w !X2ļ^/ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=acbf53af-0e9a-4b03-818f-318cf47162c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8/2ļ^ ]Ɋ&  !X2ļ^/ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=acbf53af-0e9a-4b03-818f-318cf47162c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t8**8/2ļ^ ]Ɋ&  !X2ļ^/ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=acbf53af-0e9a-4b03-818f-318cf47162c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ste8**0/2ļ^ ]Ɋ&  !X2ļ^/ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=acbf53af-0e9a-4b03-818f-318cf47162c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nS0**0/2ļ^ ]Ɋ&  !X2ļ^/ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=acbf53af-0e9a-4b03-818f-318cf47162c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=/0**0/2ļ^ ]Ɋ&  !X2ļ^/ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=acbf53af-0e9a-4b03-818f-318cf47162c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 "X ]Ɋ& ng2ļ^/ F&7b25f22-14e6-474a-aade-4f64e560e577 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-bf2e3b8735  ]Ɋ& ri2^/ F&andLine=mandPme= Comman ]Ɋ& ne]e/ F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk////`!T%Mu=VysMc&&**/2ļ^ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! e!2ļ^/ F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=acbf53af-0e9a-4b03-818f-318cf47162c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=2bd45d0e-b135-4ff6-8657-c7aa949638cf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**/2ļ^ ]Ɋ&  !2ļ^/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=acbf53af-0e9a-4b03-818f-318cf47162c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=2bd45d0e-b135-4ff6-8657-c7aa949638cf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==**/\^ ]Ɋ&  !X\^/ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=31e6222c-1dc8-4b65-a594-ca4afe143708 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ath=**/\^ ]Ɋ&  !X\^/ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=31e6222c-1dc8-4b65-a594-ca4afe143708 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**/\^ ]Ɋ& !X\^/ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=31e6222c-1dc8-4b65-a594-ca4afe143708 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**/\^ ]Ɋ&  !X\^/ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=31e6222c-1dc8-4b65-a594-ca4afe143708 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FӨ**/\^ ]Ɋ&  !X\^/ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=31e6222c-1dc8-4b65-a594-ca4afe143708 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ov**/\^ ]Ɋ&  !X\^/ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=31e6222c-1dc8-4b65-a594-ca4afe143708 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**/\^ ]Ɋ& O!\^/ F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=31e6222c-1dc8-4b65-a594-ca4afe143708 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=5abc4782-9877-4090-85d5-bd92e1fe79dd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**/\^ ]Ɋ& [!\^/ F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=31e6222c-1dc8-4b65-a594-ca4afe143708 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=5abc4782-9877-4090-85d5-bd92e1fe79dd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2c3**8 /^ ]Ɋ&  !X^/ F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d7150261-c47d-4798-a762-86e4e395a00c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8 **P /^ ]Ɋ&  !X^/ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d7150261-c47d-4798-a762-86e4e395a00c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=meP **P /^ ]Ɋ&  !X^/ F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d7150261-c47d-4798-a762-86e4e395a00c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gnorP **H /^ ]Ɋ&  !X^/ F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d7150261-c47d-4798-a762-86e4e395a00c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tewaH **H /^ ]Ɋ&  !X^/ F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d7150261-c47d-4798-a762-86e4e395a00c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H **H /^ ]Ɋ&  !X^/ F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d7150261-c47d-4798-a762-86e4e395a00c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=| WH ** /^ ]Ɋ&  !^/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d7150261-c47d-4798-a762-86e4e395a00c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=e79065d0-8dfc-4923-9e28-6d38c7cd50a2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { $cfg = G ]Ɋ& on^/ F&_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 "X ]Ɋ& ng2ļ^/ F&7b25f22-14e6-474a-aade-4f64e560e577 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-bf2e3b8735  ]Ɋ& ri2^/ F&andLine=mandPme= Comman ]Ɋ& ne]e/ F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk/0/0h k?JfMu=VysMc&&**/^ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !^/ F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d7150261-c47d-4798-a762-86e4e395a00c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=e79065d0-8dfc-4923-9e28-6d38c7cd50a2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=6-** /^ ]Ɋ& w !X^/ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=87505a41-f32d-409f-a81c-9d596acbde11 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8/^ ]Ɋ&  !X^/ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=87505a41-f32d-409f-a81c-9d596acbde11 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r8**8/^ ]Ɋ&  !X^/ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=87505a41-f32d-409f-a81c-9d596acbde11 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sto8**0/^ ]Ɋ&  !X^/ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=87505a41-f32d-409f-a81c-9d596acbde11 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edu0**0/^ ]Ɋ&  !X^/ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=87505a41-f32d-409f-a81c-9d596acbde11 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rig0**0/^ ]Ɋ&  !X^/ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=87505a41-f32d-409f-a81c-9d596acbde11 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th0**/^ ]Ɋ&  !^/ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=87505a41-f32d-409f-a81c-9d596acbde11 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f1d39499-1262-4bc4-a6a1-2689705f294f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=es**/R^ ]Ɋ&  !R^/ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=87505a41-f32d-409f-a81c-9d596acbde11 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f1d39499-1262-4bc4-a6a1-2689705f294f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=# De**/R^ ]Ɋ& K!XR^/ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d7f230ef-3580-4cc3-9f8b-2b8eea24c936 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hos**/R^ ]Ɋ& c!XR^/ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d7f230ef-3580-4cc3-9f8b-2b8eea24c936 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ry **/R^ ]Ɋ& _!XR^/ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d7f230ef-3580-4cc3-9f8b-2b8eea24c936 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**/R^ ]Ɋ& W!XR^/ F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d7f230ef-3580-4cc3-9f8b-2b8eea24c936 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**/R^ ]Ɋ& W!XR^/ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d7f230ef-3580-4cc3-9f8b-2b8eea24c936 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**/R^ ]Ɋ& Y!XR^/ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d7f230ef-3580-4cc3-9f8b-2b8eea24c936 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ern **X/R^ ]Ɋ& !R^/ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d7f230ef-3580-4cc3-9f8b-2b8eea24c936 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=a0e0bbce-9415-490e-85df-76626d62aa91 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ionDX**`/R^ ]Ɋ& !R^/ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d7f230ef-3580-4cc3-9f8b-2b8eea24c936 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=a0e0bbce-9415-490e-85df-76626d62aa91 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** /@^ ]Ɋ& w !X@^/ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fd2b1b8d-671d-4974-9fb9-4f58cc619d64 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l **8/@^ ]Ɋ&  !X@^/ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fd2b1b8d-671d-4974-9fb9-4f58cc619d64 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**80@^ ]Ɋ&  !X@^0 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fd2b1b8d-671d-4974-9fb9-4f58cc619d64 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ c8**00@^ ]Ɋ&  !X@^0 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fd2b1b8d-671d-4974-9fb9-4f58cc619d64 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mIn0**00@^ ]Ɋ&  !X@^0 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fd2b1b8d-671d-4974-9fb9-4f58cc619d64 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0Ɋ& ]Ɋ& X@^0 F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk0000Eg% Mu=VysMc&&**80@^ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X@^0 F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fd2b1b8d-671d-4974-9fb9-4f58cc619d64 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**0@^ ]Ɋ&  !@^0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fd2b1b8d-671d-4974-9fb9-4f58cc619d64 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d4903b83-a958-4393-b7b8-c5bc7ec89f7e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P**0@^ ]Ɋ&  !@^0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=fd2b1b8d-671d-4974-9fb9-4f58cc619d64 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d4903b83-a958-4393-b7b8-c5bc7ec89f7e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==Sta** 0׃^ ]Ɋ&  !X׃^0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=53711553-3061-482a-8cdb-6a2a4a8b47d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t ** 0׃^ ]Ɋ&  !X׃^0 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=53711553-3061-482a-8cdb-6a2a4a8b47d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c ** 0׃^ ]Ɋ&  !X׃^0 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=53711553-3061-482a-8cdb-6a2a4a8b47d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bde ** 0׃^ ]Ɋ&  !X׃^ 0 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=53711553-3061-482a-8cdb-6a2a4a8b47d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=led ** 0׃^ ]Ɋ&  !X׃^ 0 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=53711553-3061-482a-8cdb-6a2a4a8b47d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 0׃^ ]Ɋ&  !X׃^ 0 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=53711553-3061-482a-8cdb-6a2a4a8b47d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nP ** 0׃^ ]Ɋ& e !׃^ 0 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=53711553-3061-482a-8cdb-6a2a4a8b47d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=ea8642bf-dd9a-4450-ad05-1079d716ac92 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}  **X 0׃^ ]Ɋ&  !X׃^ 0 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5ac0f969-382b-4954-8cbc-39f1173480c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= cX**p0׃^ ]Ɋ&  !X׃^0 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5ac0f969-382b-4954-8cbc-39f1173480c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**p0׃^ ]Ɋ&  !X׃^0 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5ac0f969-382b-4954-8cbc-39f1173480c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=calDp**h0׃^ ]Ɋ&  !X׃^0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5ac0f969-382b-4954-8cbc-39f1173480c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=7662h**h0׃^ ]Ɋ&  !X׃^0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5ac0f969-382b-4954-8cbc-39f1173480c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0-00h**h0׃^ ]Ɋ&  !X׃^0 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5ac0f969-382b-4954-8cbc-39f1173480c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**0׃^ ]Ɋ&  !׃^0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5ac0f969-382b-4954-8cbc-39f1173480c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5163b47c-8e02-46ff-b7bd-b9c6a160f786 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **0׃^ ]Ɋ& !׃^0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5ac0f969-382b-4954-8cbc-39f1173480c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5163b47c-8e02-46ff-b7bd-b9c6a160f786 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}** 0׃^ ]Ɋ& q !׃^0 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=53711553-3061-482a-8cdb-6a2a4a8b47d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=ea8642bf-dd9a-4450-ad05-1079d716ac92 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=,Int faceMetric  ]Ɋ&  -X׃^0 F&) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0Ɋ& ]Ɋ& X@^0 F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk040040HevwMu=VysMc&&**`0׃^ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! =!X׃^0 F&F%g>9{p(xlMD EventDatauoData !Binary AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b10c6f04-7514-4b43-bcc4-478b41ec1e1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=]Ɋ&`**p0׃^ ]Ɋ&  !X׃^0 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b10c6f04-7514-4b43-bcc4-478b41ec1e1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@p**p0׃^ ]Ɋ&  !X׃^0 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b10c6f04-7514-4b43-bcc4-478b41ec1e1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h0׃^ ]Ɋ&  !X׃^0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b10c6f04-7514-4b43-bcc4-478b41ec1e1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r.Inh**h0׃^ ]Ɋ&  !X׃^0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b10c6f04-7514-4b43-bcc4-478b41ec1e1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Comh**h0׃^ ]Ɋ&  !X׃^0 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b10c6f04-7514-4b43-bcc4-478b41ec1e1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nfih**0׃^ ]Ɋ&  !׃^0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b10c6f04-7514-4b43-bcc4-478b41ec1e1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=527c9f7e-d738-4664-9757-994241985a4e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C**0׃^ ]Ɋ& 7!X׃^0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1a971be5-7ecb-43e9-b925-9ccaeefb1011 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**0׃^ ]Ɋ& O!X׃^0 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1a971be5-7ecb-43e9-b925-9ccaeefb1011 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**0׃^ ]Ɋ& K!X׃^0 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1a971be5-7ecb-43e9-b925-9ccaeefb1011 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -a** 0׃^ ]Ɋ& C!X׃^ 0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1a971be5-7ecb-43e9-b925-9ccaeefb1011 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$($**!0׃^ ]Ɋ& C!X׃^!0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1a971be5-7ecb-43e9-b925-9ccaeefb1011 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $p**"0׃^ ]Ɋ& E!X׃^"0 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1a971be5-7ecb-43e9-b925-9ccaeefb1011 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **@#0׃^ ]Ɋ& !׃^#0 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1a971be5-7ecb-43e9-b925-9ccaeefb1011 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=5cf9cd65-3373-4f0f-86fb-64541f166bff PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e @**$0׃^ ]Ɋ& !׃^$0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b10c6f04-7514-4b43-bcc4-478b41ec1e1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=527c9f7e-d738-4664-9757-994241985a4e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **P%0m^ ]Ɋ& !m^%0 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1a971be5-7ecb-43e9-b925-9ccaeefb1011 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=5cf9cd65-3373-4f0f-86fb-64541f166bff PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FirsP**H&0l_ ]Ɋ& !Xl_&0 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=77ac1ae5-4da3-40ea-8775-0fe116ad957e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`'0l_ ]Ɋ& !Xl_'0 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=77ac1ae5-4da3-40ea-8775-0fe116ad957e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:`**`(0l_ ]Ɋ& !Xl_(0 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=77ac1ae5-4da3-40ea-8775-0fe116ad957e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tif`**X)0l_ ]Ɋ& !Xl_)0 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=77ac1ae5-4da3-40ea-8775-0fe116ad957e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=re X**X*0l_ ]Ɋ& !Xl_*0 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=77ac1ae5-4da3-40ea-8775-0fe116ad957e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=82bX**X+0l_ ]Ɋ& !Xl_+0 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=77ac1ae5-4da3-40ea-8775-0fe116ad957e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**,0l_ ]Ɋ& !l_,0 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=77ac1ae5-4da3-40ea-8775-0fe116ad957e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a5e1a8c4-3723-4c99-b506-104f03578351 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **-0qu_ ]Ɋ& K!Xqu_-0 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d6b39c44-72c2-4c27-b969-d5df8a526e25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-No**.0qu_ ]Ɋ& c!Xqu_.0 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d6b39c44-72c2-4c27-b969-d5df8a526e25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ere**/0qu_ ]Ɋ& _!Xqu_/0 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d6b39c44-72c2-4c27-b969-d5df8a526e25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**00qu_ ]Ɋ& W!Xqu_00 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d6b39c44-72c2-4c27-b969-d5df8a526e25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=O**10qu_ ]Ɋ& W!Xqu_10 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d6b39c44-72c2-4c27-b969-d5df8a526e25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **20qu_ ]Ɋ& Y!Xqu_20 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d6b39c44-72c2-4c27-b969-d5df8a526e25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NetA**X30qu_ ]Ɋ& !qu_30 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d6b39c44-72c2-4c27-b969-d5df8a526e25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=4c045bc3-c28e-42b7-9010-67347868044a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ComX**`40qu_ ]Ɋ& !qu_40 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d6b39c44-72c2-4c27-b969-d5df8a526e25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=4c045bc3-c28e-42b7-9010-67347868044a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= W`re-Object {  ]Ɋ& ACX#v_50 F&rst 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0Ɋ& ]Ɋ& X@^0 F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk50M050M0tm;PMu=VysMc&&**(50#v_ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X#v_50 F&F%g>9{p(xlMD EventDatauoData !BinaryT AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=662b9ab7-15ef-4f26-81de-f5e87ed12924 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=an(**860#v_ ]Ɋ&  !X#v_60 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=662b9ab7-15ef-4f26-81de-f5e87ed12924 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n8**870#v_ ]Ɋ&  !X#v_70 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=662b9ab7-15ef-4f26-81de-f5e87ed12924 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=neI8**080#v_ ]Ɋ&  !X#v_80 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=662b9ab7-15ef-4f26-81de-f5e87ed12924 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sio0**090#v_ ]Ɋ&  !X#v_90 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=662b9ab7-15ef-4f26-81de-f5e87ed12924 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=)" 0**0:0#v_ ]Ɋ&  !X#v_:0 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=662b9ab7-15ef-4f26-81de-f5e87ed12924 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ER0**;0#v_ ]Ɋ&  !#v_;0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=662b9ab7-15ef-4f26-81de-f5e87ed12924 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=03b1a271-99a0-4d03-abce-d30fc32558c8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ex**<0v_ ]Ɋ&  !v_<0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=662b9ab7-15ef-4f26-81de-f5e87ed12924 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=03b1a271-99a0-4d03-abce-d30fc32558c8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rovi** =0v_ ]Ɋ&  !Xv_=0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=565e83ef-29dc-4866-9934-fa3c88908516 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" ** >0v_ ]Ɋ&  !Xv_>0 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=565e83ef-29dc-4866-9934-fa3c88908516 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** ?0v_ ]Ɋ&  !Xv_?0 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=565e83ef-29dc-4866-9934-fa3c88908516 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** @0v_ ]Ɋ&  !Xv_@0 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=565e83ef-29dc-4866-9934-fa3c88908516 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rti ** A0v_ ]Ɋ&  !Xv_A0 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=565e83ef-29dc-4866-9934-fa3c88908516 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n=4 ** B0v_ ]Ɋ&  !Xv_B0 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=565e83ef-29dc-4866-9934-fa3c88908516 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Li ** C0v_ ]Ɋ& e !v_C0 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=565e83ef-29dc-4866-9934-fa3c88908516 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=6602f3a8-5bcc-4e4e-b6b9-483e8b02a8f0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ed ** D0v_ ]Ɋ& q !v_D0 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=565e83ef-29dc-4866-9934-fa3c88908516 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=6602f3a8-5bcc-4e4e-b6b9-483e8b02a8f0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ionP **E0v_ ]Ɋ& 7!Xv_E0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=06ceae29-ec44-47c1-8b7c-e115e2fd5468 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **F0v_ ]Ɋ& O!Xv_F0 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=06ceae29-ec44-47c1-8b7c-e115e2fd5468 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**G0v_ ]Ɋ& K!Xv_G0 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=06ceae29-ec44-47c1-8b7c-e115e2fd5468 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct **H0v_ ]Ɋ& C!Xv_H0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=06ceae29-ec44-47c1-8b7c-e115e2fd5468 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ach**I0v_ ]Ɋ& C!Xv_I0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=06ceae29-ec44-47c1-8b7c-e115e2fd5468 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} |**J0v_ ]Ɋ& E!Xv_J0 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=06ceae29-ec44-47c1-8b7c-e115e2fd5468 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **@K05Tw_ ]Ɋ& !5Tw_K0 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=06ceae29-ec44-47c1-8b7c-e115e2fd5468 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=796e0ec7-f314-44f1-b7dd-8e2428a99d35 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ @**PL05Tw_ ]Ɋ& !5Tw_L0 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=06ceae29-ec44-47c1-8b7c-e115e2fd5468 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=796e0ec7-f314-44f1-b7dd-8e2428a99d35 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=EachP**M0l_ ]Ɋ&  !l_M0 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=77ac1ae5-4da3-40ea-8775-0fe116ad957e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a5e1a8c4-3723-4c99-b506-104f03578351 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Firs1 }  ]Ɋ& { Xi`N0 F& { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0Ɋ& ]Ɋ& X@^0 F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnkN0i0N0i0F=FIuMu=VysMc&&**PN0i` ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! /!Xi`N0 F&F%g>9{p(xlMD EventDatauoData !Binary|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c9931c6d-0e4b-4ae2-a2d7-649d1993d6d2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ecP**`O0i` ]Ɋ& !Xi`O0 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c9931c6d-0e4b-4ae2-a2d7-649d1993d6d2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=`**`P0i` ]Ɋ& !Xi`P0 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c9931c6d-0e4b-4ae2-a2d7-649d1993d6d2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= (`**XQ0i` ]Ɋ& !Xi`Q0 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c9931c6d-0e4b-4ae2-a2d7-649d1993d6d2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $nX**XR0i` ]Ɋ& !Xi`R0 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c9931c6d-0e4b-4ae2-a2d7-649d1993d6d2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= = X**XS0i` ]Ɋ& !Xi`S0 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c9931c6d-0e4b-4ae2-a2d7-649d1993d6d2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -X**T0i` ]Ɋ& !i`T0 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c9931c6d-0e4b-4ae2-a2d7-649d1993d6d2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=218fe87c-ee17-4676-a161-bc399f8414c4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sh**U0Z(` ]Ɋ& K!XZ(`U0 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5c2d6593-d57d-4df9-a2b0-14d11fe4cda8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= an**V0Z(` ]Ɋ& c!XZ(`V0 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5c2d6593-d57d-4df9-a2b0-14d11fe4cda8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**W0Z(` ]Ɋ& _!XZ(`W0 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5c2d6593-d57d-4df9-a2b0-14d11fe4cda8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r**X0Z(` ]Ɋ& W!XZ(`X0 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5c2d6593-d57d-4df9-a2b0-14d11fe4cda8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**Y0Z(` ]Ɋ& W!XZ(`Y0 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5c2d6593-d57d-4df9-a2b0-14d11fe4cda8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**Z0Z(` ]Ɋ& Y!XZ(`Z0 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5c2d6593-d57d-4df9-a2b0-14d11fe4cda8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=work**X[0Z(` ]Ɋ& !Z(`[0 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5c2d6593-d57d-4df9-a2b0-14d11fe4cda8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=dcc044d2-91a9-4666-a8a9-9de29c389899 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=stApX**`\0Z(` ]Ɋ& !Z(`\0 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5c2d6593-d57d-4df9-a2b0-14d11fe4cda8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=dcc044d2-91a9-4666-a8a9-9de29c389899 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} `** ]0Z(` ]Ɋ& w !XZ(`]0 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1c9494eb-dc50-409a-b152-e44a08d099fa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8^0Z(` ]Ɋ&  !XZ(`^0 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1c9494eb-dc50-409a-b152-e44a08d099fa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=k8**8_0Z(` ]Ɋ&  !XZ(`_0 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1c9494eb-dc50-409a-b152-e44a08d099fa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $r8**0`0Z(` ]Ɋ&  !XZ(``0 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1c9494eb-dc50-409a-b152-e44a08d099fa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cti0**0a0Z(` ]Ɋ&  !XZ(`a0 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1c9494eb-dc50-409a-b152-e44a08d099fa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $d0**0b0Z(` ]Ɋ&  !XZ(`b0 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1c9494eb-dc50-409a-b152-e44a08d099fa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ve0**c0f(` ]Ɋ&  !f(`c0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1c9494eb-dc50-409a-b152-e44a08d099fa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f7efcbd3-e1c1-474a-b5b9-e5c3bc3cfeeb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ma**d0f(` ]Ɋ&  !f(`d0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=1c9494eb-dc50-409a-b152-e44a08d099fa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f7efcbd3-e1c1-474a-b5b9-e5c3bc3cfeeb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Star** e0)` ]Ɋ&  !X)`e0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=bc49a4a2-9c0e-4389-aaf4-3d069ff30200 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a ** f0)` ]Ɋ&  !X)`f0 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=bc49a4a2-9c0e-4389-aaf4-3d069ff30200 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=- ** g0)` ]Ɋ&  !X)`g0 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=bc49a4a2-9c0e-4389-aaf4-3d069ff30200 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** h0)` ]Ɋ&  !X)`h0 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=bc49a4a2-9c0e-4389-aaf4-3d069ff30200 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= | ** i0)` ]Ɋ&  !X)`i0 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=bc49a4a2-9c0e-4389-aaf4-3d069ff30200 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=equ ceNumber=15  ]Ɋ& stX)`j0 F&e116ad957e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a5e1a8c4-3723-4c99-b506-104f03578351 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Firs1 }  ]Ɋ& { Xi`N0 F& { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0Ɋ& ]Ɋ& X@^0 F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnkj00j008;7Mu=VysMc&&** j0)` ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !X)`j0 F&F%g>9{p(xlMD EventDatauoData !BinaryVariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=bc49a4a2-9c0e-4389-aaf4-3d069ff30200 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ste ** k0)` ]Ɋ& e !)`k0 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=bc49a4a2-9c0e-4389-aaf4-3d069ff30200 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=27202fca-7b92-4060-8514-c37d455840e1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on ** l0)` ]Ɋ& q !)`l0 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=bc49a4a2-9c0e-4389-aaf4-3d069ff30200 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=27202fca-7b92-4060-8514-c37d455840e1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=399f **m0)` ]Ɋ& 7!X)`m0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ad02487a-1d2d-4dab-bb88-2f89bb8d9bd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**n0)` ]Ɋ& O!X)`n0 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ad02487a-1d2d-4dab-bb88-2f89bb8d9bd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **o0)` ]Ɋ& K!X)`o0 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ad02487a-1d2d-4dab-bb88-2f89bb8d9bd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -C**p0)` ]Ɋ& C!X)`p0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ad02487a-1d2d-4dab-bb88-2f89bb8d9bd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tTo**q0)` ]Ɋ& C!X)`q0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ad02487a-1d2d-4dab-bb88-2f89bb8d9bd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=| C**r0)` ]Ɋ& E!X)`r0 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ad02487a-1d2d-4dab-bb88-2f89bb8d9bd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine="}**@s0)` ]Ɋ& !)`s0 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ad02487a-1d2d-4dab-bb88-2f89bb8d9bd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=9dbc6f9b-47d3-4953-8cd2-c7244c76549a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=om@**Pt0$*` ]Ɋ& !$*`t0 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ad02487a-1d2d-4dab-bb88-2f89bb8d9bd4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=9dbc6f9b-47d3-4953-8cd2-c7244c76549a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rtToP**u0(4` ]Ɋ&  !(4`u0 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c9931c6d-0e4b-4ae2-a2d7-649d1993d6d2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=218fe87c-ee17-4676-a161-bc399f8414c4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=(Get**Xv0O` ]Ɋ&  !XO`v0 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0f376e2b-1160-402d-973b-3ddf045bdfea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=etX**pw0O` ]Ɋ&  !XO`w0 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0f376e2b-1160-402d-973b-3ddf045bdfea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onp**px0O` ]Ɋ&  !XO`x0 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0f376e2b-1160-402d-973b-3ddf045bdfea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=etRop**hy0O` ]Ɋ&  !XO`y0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0f376e2b-1160-402d-973b-3ddf045bdfea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0.0.h**hz0O` ]Ɋ&  !XO`z0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0f376e2b-1160-402d-973b-3ddf045bdfea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uteMh**h{0O` ]Ɋ&  !XO`{0 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0f376e2b-1160-402d-973b-3ddf045bdfea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ih**|0O` ]Ɋ&  !O`|0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0f376e2b-1160-402d-973b-3ddf045bdfea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6a82a156-b798-4008-8b97-3d128487a999 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-C**}0O` ]Ɋ& !O`}0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0f376e2b-1160-402d-973b-3ddf045bdfea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6a82a156-b798-4008-8b97-3d128487a999 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=v**X~0I` ]Ɋ&  !XI`~0 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=bfb9faed-6fe6-4e1b-9cbf-a7a8f704be51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=maX**p0I` ]Ɋ&  !XI`0 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=bfb9faed-6fe6-4e1b-9cbf-a7a8f704be51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $p**p0I` ]Ɋ&  !XI`0 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=bfb9faed-6fe6-4e1b-9cbf-a7a8f704be51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e= pommandType=  ]Ɋ& eqXI`0 F& stX)`j0 F&e116ad957e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a5e1a8c4-3723-4c99-b506-104f03578351 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Firs1 }  ]Ɋ& { Xi`N0 F& { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0Ɋ& ]Ɋ& X@^0 F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk0000Žp-pg\Mu=VysMc&&**h0I` ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!XI`0 F&F%g>9{p(xlMD EventDatauoData !Binary FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=bfb9faed-6fe6-4e1b-9cbf-a7a8f704be51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eh**h0I` ]Ɋ&  !XI`0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=bfb9faed-6fe6-4e1b-9cbf-a7a8f704be51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on=4h**h0I` ]Ɋ&  !XI`0 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=bfb9faed-6fe6-4e1b-9cbf-a7a8f704be51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ench**0I` ]Ɋ&  !I`0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=bfb9faed-6fe6-4e1b-9cbf-a7a8f704be51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=27a6f976-e0ee-4be8-8c0a-b98d111bd683 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **0I` ]Ɋ& !I`0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=bfb9faed-6fe6-4e1b-9cbf-a7a8f704be51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=27a6f976-e0ee-4be8-8c0a-b98d111bd683 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=v** 0!` ]Ɋ& w !X!`0 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8000b97d-1403-47c6-ab3b-641f6ae995de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=A **80!` ]Ɋ&  !X!`0 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8000b97d-1403-47c6-ab3b-641f6ae995de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**80!` ]Ɋ&  !X!`0 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8000b97d-1403-47c6-ab3b-641f6ae995de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=(-n8**00!` ]Ɋ&  !X!`0 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8000b97d-1403-47c6-ab3b-641f6ae995de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=EPT0**00!` ]Ɋ&  !X!`0 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8000b97d-1403-47c6-ab3b-641f6ae995de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=op'0**00!` ]Ɋ&  !X!`0 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8000b97d-1403-47c6-ab3b-641f6ae995de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$E0**0!` ]Ɋ&  !!`0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8000b97d-1403-47c6-ab3b-641f6ae995de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=40713a6e-f8d7-466a-828e-9fcaf241753f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nP**0z` ]Ɋ&  !z`0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=8000b97d-1403-47c6-ab3b-641f6ae995de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=40713a6e-f8d7-466a-828e-9fcaf241753f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Bypa**0z` ]Ɋ&  !Xz`0 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=326aeb9a-24de-4a1a-b59c-6ae86af02cdb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y By**0z` ]Ɋ&  !Xz`0 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=326aeb9a-24de-4a1a-b59c-6ae86af02cdb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=renc**0z` ]Ɋ& !Xz`0 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=326aeb9a-24de-4a1a-b59c-6ae86af02cdb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=v:**0z` ]Ɋ&  !Xz`0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=326aeb9a-24de-4a1a-b59c-6ae86af02cdb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omndPath= Co ]Ɋ& Xz`0 F&{ Xi`N0 F& { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0Ɋ& ]Ɋ& X@^0 F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk00000j.Mu=VysMc&&**0z` ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !Xz`0 F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=326aeb9a-24de-4a1a-b59c-6ae86af02cdb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**0z` ]Ɋ&  !Xz`0 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=326aeb9a-24de-4a1a-b59c-6ae86af02cdb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**0z` ]Ɋ& O!z`0 F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=326aeb9a-24de-4a1a-b59c-6ae86af02cdb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=b5dada2e-1040-4924-a77b-86fd53f3b29d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **0N` ]Ɋ& [!N`0 F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=326aeb9a-24de-4a1a-b59c-6ae86af02cdb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=b5dada2e-1040-4924-a77b-86fd53f3b29d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=equ**8 0{D` ]Ɋ&  !X{D`0 F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=20edf6cb-7a5a-41d4-bfc2-e6bcd2336001 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C8 **P 0{D` ]Ɋ&  !X{D`0 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=20edf6cb-7a5a-41d4-bfc2-e6bcd2336001 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= EP **P 0{D` ]Ɋ&  !X{D`0 F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=20edf6cb-7a5a-41d4-bfc2-e6bcd2336001 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-ObP **H 0{D` ]Ɋ&  !X{D`0 F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=20edf6cb-7a5a-41d4-bfc2-e6bcd2336001 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= WinH **H 0{D` ]Ɋ&  !X{D`0 F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=20edf6cb-7a5a-41d4-bfc2-e6bcd2336001 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and H **H 0{D` ]Ɋ&  !X{D`0 F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=20edf6cb-7a5a-41d4-bfc2-e6bcd2336001 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ntiH ** 0{D` ]Ɋ&  !{D`0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=20edf6cb-7a5a-41d4-bfc2-e6bcd2336001 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=82e9b823-fc26-4026-b3de-1b8596f58de8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t $ ** 0{D` ]Ɋ&  !{D`0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=20edf6cb-7a5a-41d4-bfc2-e6bcd2336001 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=82e9b823-fc26-4026-b3de-1b8596f58de8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 0` ]Ɋ& w !X`0 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b4199a63-28c6-4845-afe9-90884c88f0b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **80` ]Ɋ&  !X`0 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b4199a63-28c6-4845-afe9-90884c88f0b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**80` ]Ɋ&  !X`0 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b4199a63-28c6-4845-afe9-90884c88f0b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= tr8**00` ]Ɋ&  !X`0 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b4199a63-28c6-4845-afe9-90884c88f0b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ARN0**00` ]Ɋ&  !X`0 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b4199a63-28c6-4845-afe9-90884c88f0b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ows0ersions - se ]Ɋ& NGX`0 F&ttings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omndPath= Co ]Ɋ& Xz`0 F&{ Xi`N0 F& { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0Ɋ& ]Ɋ& X@^0 F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk0000H_>%?Mu=VysMc&&**80` ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X`0 F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b4199a63-28c6-4845-afe9-90884c88f0b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Com8**0` ]Ɋ&  !`0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b4199a63-28c6-4845-afe9-90884c88f0b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d32006ba-1a40-4cf3-87d1-1e3c8c81dadc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Id**0u` ]Ɋ&  !u`0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=b4199a63-28c6-4845-afe9-90884c88f0b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d32006ba-1a40-4cf3-87d1-1e3c8c81dadc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pace**0u` ]Ɋ& K!Xu`0 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5318bdfa-1f67-4874-9677-7928230b9140 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oun**0u` ]Ɋ& c!Xu`0 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5318bdfa-1f67-4874-9677-7928230b9140 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t t**0u` ]Ɋ& _!Xu`0 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5318bdfa-1f67-4874-9677-7928230b9140 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-**0u` ]Ɋ& W!Xu`0 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5318bdfa-1f67-4874-9677-7928230b9140 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**0u` ]Ɋ& W!Xu`0 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5318bdfa-1f67-4874-9677-7928230b9140 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**0u` ]Ɋ& Y!Xu`0 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5318bdfa-1f67-4874-9677-7928230b9140 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cess**X0u` ]Ɋ& !u`0 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5318bdfa-1f67-4874-9677-7928230b9140 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=a47e2b79-2e1d-476f-8bad-c3af76e92296 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th= X**`0u` ]Ɋ& !u`0 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5318bdfa-1f67-4874-9677-7928230b9140 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=a47e2b79-2e1d-476f-8bad-c3af76e92296 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=id`** 0u` ]Ɋ& w !Xu`0 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=54ca6d8f-3ba1-46bc-beef-7401c5c986a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o **80u` ]Ɋ&  !Xu`0 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=54ca6d8f-3ba1-46bc-beef-7401c5c986a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r8**80u` ]Ɋ&  !Xu`0 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=54ca6d8f-3ba1-46bc-beef-7401c5c986a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= if8**00u` ]Ɋ&  !Xu`0 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=54ca6d8f-3ba1-46bc-beef-7401c5c986a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and0**00u` ]Ɋ&  !Xu`0 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=54ca6d8f-3ba1-46bc-beef-7401c5c986a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e) 0**00u` ]Ɋ&  !Xu`0 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=54ca6d8f-3ba1-46bc-beef-7401c5c986a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1 0**0u` ]Ɋ&  !u`0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=54ca6d8f-3ba1-46bc-beef-7401c5c986a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=88d20984-b22f-47fc-a9d4-c402edf2424b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bj**0>` ]Ɋ&  !>`0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=54ca6d8f-3ba1-46bc-beef-7401c5c986a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=88d20984-b22f-47fc-a9d4-c402edf2424b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on |** 0>` ]Ɋ&  !X>`0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=750c61b8-02eb-4ac2-af8f-3e07e81a0dd9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r ** 0>` ]Ɋ&  !X>`0 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=750c61b8-02eb-4ac2-af8f-3e07e81a0dd9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 0>` ]Ɋ&  !X>`0 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=750c61b8-02eb-4ac2-af8f-3e07e81a0dd9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= if ** 0>` ]Ɋ&  !X>`0 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=750c61b8-02eb-4ac2-af8f-3e07e81a0dd9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me= CommandPath ]Ɋ& X>`0 F&Xz`0 F&{ Xi`N0 F& { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0Ɋ& ]Ɋ& X@^0 F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk0000qoQMu=VysMc&&** 0>` ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !X>`0 F&F%g>9{p(xlMD EventDatauoData !BinaryRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=750c61b8-02eb-4ac2-af8f-3e07e81a0dd9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 0>` ]Ɋ&  !X>`0 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=750c61b8-02eb-4ac2-af8f-3e07e81a0dd9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 0>` ]Ɋ& e !>`0 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=750c61b8-02eb-4ac2-af8f-3e07e81a0dd9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=71247fb7-d874-4fdc-a907-5d396917d3ba PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Av **X0>` ]Ɋ&  !X>`0 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=918fd8ba-504a-4f91-ab0d-a3d91a15e7f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0X**p0>` ]Ɋ&  !X>`0 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=918fd8ba-504a-4f91-ab0d-a3d91a15e7f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -p**p0>` ]Ɋ&  !X>`0 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=918fd8ba-504a-4f91-ab0d-a3d91a15e7f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Commp**h0>` ]Ɋ&  !X>`0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=918fd8ba-504a-4f91-ab0d-a3d91a15e7f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Numbh**h0>` ]Ɋ&  !X>`0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=918fd8ba-504a-4f91-ab0d-a3d91a15e7f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=entlh**h0>` ]Ɋ&  !X>`0 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=918fd8ba-504a-4f91-ab0d-a3d91a15e7f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fg h**0>` ]Ɋ&  !>`0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=918fd8ba-504a-4f91-ab0d-a3d91a15e7f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=e0fe8544-62b3-429c-958b-ae1e13e9f575 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=| W**0>` ]Ɋ& !>`0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=918fd8ba-504a-4f91-ab0d-a3d91a15e7f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=e0fe8544-62b3-429c-958b-ae1e13e9f575 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}** 0զ` ]Ɋ& q !զ`0 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=750c61b8-02eb-4ac2-af8f-3e07e81a0dd9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=71247fb7-d874-4fdc-a907-5d396917d3ba PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($ad **X0զ` ]Ɋ&  !Xզ`0 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=08bb3423-5df5-4598-a49f-5243a899a20b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erX**p0զ` ]Ɋ&  !Xզ`0 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=08bb3423-5df5-4598-a49f-5243a899a20b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Adp**p0զ` ]Ɋ&  !Xզ`0 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=08bb3423-5df5-4598-a49f-5243a899a20b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and p**h0զ` ]Ɋ&  !Xզ`0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=08bb3423-5df5-4598-a49f-5243a899a20b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rverh**h0զ` ]Ɋ&  !Xզ`0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=08bb3423-5df5-4598-a49f-5243a899a20b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ostIh**h0զ` ]Ɋ&  !Xզ`0 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=08bb3423-5df5-4598-a49f-5243a899a20b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= +=hcomputerInfo ]Ɋ& rsզ`0 F&| Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me= CommandPath ]Ɋ& X>`0 F&Xz`0 F&{ Xi`N0 F& { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n0Ɋ& ]Ɋ& X@^0 F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk0000!\Mu=VysMc&&**0զ` ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !զ`0 F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=08bb3423-5df5-4598-a49f-5243a899a20b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c2174517-8473-4fc1-a853-5b14bc06d84e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**0զ` ]Ɋ& !զ`0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=08bb3423-5df5-4598-a49f-5243a899a20b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c2174517-8473-4fc1-a853-5b14bc06d84e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**0զ` ]Ɋ& 7!Xզ`0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=dca37507-c186-4700-af8b-1d1b698b2a00 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**0զ` ]Ɋ& O!Xզ`0 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=dca37507-c186-4700-af8b-1d1b698b2a00 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**0զ` ]Ɋ& K!Xզ`0 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=dca37507-c186-4700-af8b-1d1b698b2a00 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:NE**0զ` ]Ɋ& C!Xզ`0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=dca37507-c186-4700-af8b-1d1b698b2a00 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **0զ` ]Ɋ& C!Xզ`0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=dca37507-c186-4700-af8b-1d1b698b2a00 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eSy**0զ` ]Ɋ& E!Xզ`0 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=dca37507-c186-4700-af8b-1d1b698b2a00 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rt**@0զ` ]Ɋ& !զ`0 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=dca37507-c186-4700-af8b-1d1b698b2a00 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=004a7732-4b5c-4a28-8ced-664cbea76519 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= W@**P0զ` ]Ɋ& !զ`0 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=dca37507-c186-4700-af8b-1d1b698b2a00 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=004a7732-4b5c-4a28-8ced-664cbea76519 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=US:$P**H0tGaa ]Ɋ& !XtGaa0 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=316cc83b-1faa-47bf-963b-766e81c89c8b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`0tGaa ]Ɋ& !XtGaa0 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=316cc83b-1faa-47bf-963b-766e81c89c8b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o`**`0tGaa ]Ɋ& !XtGaa0 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=316cc83b-1faa-47bf-963b-766e81c89c8b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**X0tGaa ]Ɋ& !XtGaa0 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=316cc83b-1faa-47bf-963b-766e81c89c8b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=et X**X0tGaa ]Ɋ& !XtGaa0 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=316cc83b-1faa-47bf-963b-766e81c89c8b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=empX**X0tGaa ]Ɋ& !XtGaa0 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=316cc83b-1faa-47bf-963b-766e81c89c8b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=5eX**0tGaa ]Ɋ& !tGaa0 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=316cc83b-1faa-47bf-963b-766e81c89c8b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=2e386b97-c6fc-4120-be74-51d17e33974a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te**0da ]Ɋ&  !da0 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=316cc83b-1faa-47bf-963b-766e81c89c8b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=2e386b97-c6fc-4120-be74-51d17e33974a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Valu**0oa ]Ɋ& K!Xoa0 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e9ae110e-2e2f-4a1a-b094-e618c78a2a4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=enc**0oa ]Ɋ& c!Xoa0 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e9ae110e-2e2f-4a1a-b094-e618c78a2a4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **0oa ]Ɋ& _!Xoa0 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e9ae110e-2e2f-4a1a-b094-e618c78a2a4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**0oa ]Ɋ& W!Xoa0 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e9ae110e-2e2f-4a1a-b094-e618c78a2a4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**0oa ]Ɋ& W!Xoa0 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e9ae110e-2e2f-4a1a-b094-e618c78a2a4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **0oa ]Ɋ& Y!Xoa0 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e9ae110e-2e2f-4a1a-b094-e618c78a2a4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $**X0oa ]Ɋ& !oa0 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e9ae110e-2e2f-4a1a-b094-e618c78a2a4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=0b649bb9-89dc-43c6-bfd8-c7e71b0eaeea PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ine=X**`0oa ]Ɋ& !oa0 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e9ae110e-2e2f-4a1a-b094-e618c78a2a4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=0b649bb9-89dc-43c6-bfd8-c7e71b0eaeea PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Wr`** 0oa ]Ɋ& w !Xoa0 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b6f99928-836a-4180-9a4a-525a6ecbcdf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i **80oa ]Ɋ&  !Xoa0 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b6f99928-836a-4180-9a4a-525a6ecbcdf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=O8**80oa ]Ɋ&  !Xoa0 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b6f99928-836a-4180-9a4a-525a6ecbcdf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tif8**00oa ]Ɋ&  !Xoa0 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b6f99928-836a-4180-9a4a-525a6ecbcdf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**00oa ]Ɋ&  !Xoa0 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b6f99928-836a-4180-9a4a-525a6ecbcdf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ESS0**00oa ]Ɋ&  !Xoa0 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b6f99928-836a-4180-9a4a-525a6ecbcdf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=an0ame= Comma ]Ɋ& inoa0 F& X@^0 F& ],B]L/ F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLi =o`andPath= CommandLine= ElfChnk0 10 1u| ]Mu=VysMc&&**0oa ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! e!oa0 F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b6f99928-836a-4180-9a4a-525a6ecbcdf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d1759324-9caa-480f-a834-75fde97e59a1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and**0Fa ]Ɋ&  !Fa0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=b6f99928-836a-4180-9a4a-525a6ecbcdf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d1759324-9caa-480f-a834-75fde97e59a1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pe= ** 0Fa ]Ɋ&  !XFa0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=46392ab6-3434-4986-a204-1d6787379f7a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a ** 0Fa ]Ɋ&  !XFa0 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=46392ab6-3434-4986-a204-1d6787379f7a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d ** 0Fa ]Ɋ&  !XFa0 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=46392ab6-3434-4986-a204-1d6787379f7a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ru ** 0Fa ]Ɋ&  !XFa0 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=46392ab6-3434-4986-a204-1d6787379f7a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ge ** 0Fa ]Ɋ&  !XFa0 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=46392ab6-3434-4986-a204-1d6787379f7a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 0Fa ]Ɋ&  !XFa0 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=46392ab6-3434-4986-a204-1d6787379f7a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ta ** 0Fa ]Ɋ& e !Fa0 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=46392ab6-3434-4986-a204-1d6787379f7a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=bbb7091e-2127-4881-a469-e2c1fcbadd4e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= - ** 0ހa ]Ɋ& q !ހa0 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=46392ab6-3434-4986-a204-1d6787379f7a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=bbb7091e-2127-4881-a469-e2c1fcbadd4e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C **0ހa ]Ɋ& 7!Xހa0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0ee529cc-f1b6-4ae7-a653-5d3f7eabbfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**0ހa ]Ɋ& O!Xހa0 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0ee529cc-f1b6-4ae7-a653-5d3f7eabbfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**0ހa ]Ɋ& K!Xހa0 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0ee529cc-f1b6-4ae7-a653-5d3f7eabbfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**0ހa ]Ɋ& C!Xހa0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0ee529cc-f1b6-4ae7-a653-5d3f7eabbfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**0ހa ]Ɋ& C!Xހa0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0ee529cc-f1b6-4ae7-a653-5d3f7eabbfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**0ހa ]Ɋ& E!Xހa0 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0ee529cc-f1b6-4ae7-a653-5d3f7eabbfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**@0ހa ]Ɋ& !ހa0 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0ee529cc-f1b6-4ae7-a653-5d3f7eabbfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=fbd3d2e2-a701-4b81-a246-e65f6476962d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@**P0ހa ]Ɋ& !ހa0 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0ee529cc-f1b6-4ae7-a653-5d3f7eabbfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=fbd3d2e2-a701-4b81-a246-e65f6476962d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P**H0b ]Ɋ& !Xb0 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d0712e6c-c42e-413b-893b-b13e90a018c5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sH**`0b ]Ɋ& !Xb0 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d0712e6c-c42e-413b-893b-b13e90a018c5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y`**`1b ]Ɋ& !Xb1 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d0712e6c-c42e-413b-893b-b13e90a018c5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cAd`**X1b ]Ɋ& !Xb1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d0712e6c-c42e-413b-893b-b13e90a018c5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=orkX**X1b ]Ɋ& !Xb1 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d0712e6c-c42e-413b-893b-b13e90a018c5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oleX**X1b ]Ɋ& !Xb1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d0712e6c-c42e-413b-893b-b13e90a018c5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=faX**1b ]Ɋ& !b1 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d0712e6c-c42e-413b-893b-b13e90a018c5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=b8a67abf-935a-4ae3-98b9-bf49e3c8f04b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ga**1}2b ]Ɋ& K!X}2b1 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7b60a2a2-d25f-4898-87de-08b52883c8b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ll.**1}2b ]Ɋ& c!X}2b1 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7b60a2a2-d25f-4898-87de-08b52883c8b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **1}2b ]Ɋ& _!X}2b1 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7b60a2a2-d25f-4898-87de-08b52883c8b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**1}2b ]Ɋ& W!X}2b1 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7b60a2a2-d25f-4898-87de-08b52883c8b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n** 1}2b ]Ɋ& W!X}2b 1 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7b60a2a2-d25f-4898-87de-08b52883c8b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l** 1}2b ]Ɋ& Y!X}2b 1 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7b60a2a2-d25f-4898-87de-08b52883c8b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Pref**X 1}2b ]Ɋ& !}2b 1 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7b60a2a2-d25f-4898-87de-08b52883c8b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=07de74f9-50cb-4cf6-98aa-099d8be30f8f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ed -X**` 1}2b ]Ɋ& !}2b 1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7b60a2a2-d25f-4898-87de-08b52883c8b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=07de74f9-50cb-4cf6-98aa-099d8be30f8f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xe`**  1}2b ]Ɋ& w !X}2b 1 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b61b6ea5-af7b-4b65-bef1-dc06bd32c9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e dLi =o`andPath= CommandLine= ElfChnk1)11)1_lMu=VysMc&&**@1}2b ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X}2b1 F&F%g>9{p(xlMD EventDatauoData !Binaryl EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b61b6ea5-af7b-4b65-bef1-dc06bd32c9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== @**81}2b ]Ɋ&  !X}2b1 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b61b6ea5-af7b-4b65-bef1-dc06bd32c9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== 8**01}2b ]Ɋ&  !X}2b1 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b61b6ea5-af7b-4b65-bef1-dc06bd32c9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= f0**01}2b ]Ɋ&  !X}2b1 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b61b6ea5-af7b-4b65-bef1-dc06bd32c9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} c0**01}2b ]Ɋ&  !X}2b1 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b61b6ea5-af7b-4b65-bef1-dc06bd32c9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {0**1}2b ]Ɋ&  !}2b1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b61b6ea5-af7b-4b65-bef1-dc06bd32c9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=45781a70-0f90-4a6a-9999-e93f427cb28a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ma**1d3b ]Ɋ&  !d3b1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=b61b6ea5-af7b-4b65-bef1-dc06bd32c9d1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=45781a70-0f90-4a6a-9999-e93f427cb28a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ell.**1d3b ]Ɋ&  !d3b1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d0712e6c-c42e-413b-893b-b13e90a018c5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=b8a67abf-935a-4ae3-98b9-bf49e3c8f04b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rver** 1d3b ]Ɋ&  !Xd3b1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7fce39d2-c284-40a1-9da5-e8a4a7d46dff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n ** 1d3b ]Ɋ&  !Xd3b1 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7fce39d2-c284-40a1-9da5-e8a4a7d46dff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=k ** 1d3b ]Ɋ&  !Xd3b1 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7fce39d2-c284-40a1-9da5-e8a4a7d46dff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onI ** 1d3b ]Ɋ&  !Xd3b1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7fce39d2-c284-40a1-9da5-e8a4a7d46dff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 1d3b ]Ɋ&  !Xd3b1 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7fce39d2-c284-40a1-9da5-e8a4a7d46dff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct ** 1d3b ]Ɋ&  !Xd3b1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7fce39d2-c284-40a1-9da5-e8a4a7d46dff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C ** 1d3b ]Ɋ& e !d3b1 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7fce39d2-c284-40a1-9da5-e8a4a7d46dff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c62b76d8-cc2b-4fac-90cf-b079585019f1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=* ** 13b ]Ɋ& q !3b1 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7fce39d2-c284-40a1-9da5-e8a4a7d46dff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c62b76d8-cc2b-4fac-90cf-b079585019f1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==13 **13b ]Ɋ& 7!X3b1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=47583834-0fdd-417d-987f-00851d4ff4f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c**13b ]Ɋ& O!X3b1 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=47583834-0fdd-417d-987f-00851d4ff4f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x** 13b ]Ɋ& K!X3b 1 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=47583834-0fdd-417d-987f-00851d4ff4f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ter**!13b ]Ɋ& C!X3b!1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=47583834-0fdd-417d-987f-00851d4ff4f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -**"13b ]Ɋ& C!X3b"1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=47583834-0fdd-417d-987f-00851d4ff4f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NoP**#13b ]Ɋ& E!X3b#1 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=47583834-0fdd-417d-987f-00851d4ff4f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ll**@$13b ]Ɋ& !3b$1 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=47583834-0fdd-417d-987f-00851d4ff4f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=581eddcd-4a96-4dbc-8f87-36adfc26a0f4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ac@**P%13b ]Ɋ& !3b%1 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=47583834-0fdd-417d-987f-00851d4ff4f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=581eddcd-4a96-4dbc-8f87-36adfc26a0f4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le -P**H&10b ]Ɋ& !X0b&1 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=bccee1af-a9f8-414f-93b3-3d2a313b5073 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H**`'10b ]Ɋ& !X0b'1 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=bccee1af-a9f8-414f-93b3-3d2a313b5073 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t`**`(10b ]Ɋ& !X0b(1 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=bccee1af-a9f8-414f-93b3-3d2a313b5073 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd `**X)10b ]Ɋ& !X0b)1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=bccee1af-a9f8-414f-93b3-3d2a313b5073 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ommXdName= Com ]Ɋ& dLX0b*1 F&dPath= CommandLine= ElfChnk*1=1*1=1 TuEMu=VysMc&&**X*10b ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! ;!X0b*1 F&F%g>9{p(xlMD EventDatauoData !BinaryRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=bccee1af-a9f8-414f-93b3-3d2a313b5073 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**X+10b ]Ɋ& !X0b+1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=bccee1af-a9f8-414f-93b3-3d2a313b5073 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**,10b ]Ɋ& !0b,1 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=bccee1af-a9f8-414f-93b3-3d2a313b5073 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=51434abb-f653-4740-a2eb-14315cc054c7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**-1. b ]Ɋ&  !. b-1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=bccee1af-a9f8-414f-93b3-3d2a313b5073 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=51434abb-f653-4740-a2eb-14315cc054c7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e) {**X.1b ]Ɋ&  !Xb.1 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=90403fde-bb34-41cf-b909-dd094d8494dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-NX**p/1b ]Ɋ&  !Xb/1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=90403fde-bb34-41cf-b909-dd094d8494dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0.p**p01b ]Ɋ&  !Xb01 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=90403fde-bb34-41cf-b909-dd094d8494dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=etrip**h11b ]Ɋ&  !Xb11 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=90403fde-bb34-41cf-b909-dd094d8494dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f ($h**h21b ]Ɋ&  !Xb21 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=90403fde-bb34-41cf-b909-dd094d8494dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erfah**h31b ]Ɋ&  !Xb31 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=90403fde-bb34-41cf-b909-dd094d8494dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Namh**41b ]Ɋ&  !b41 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=90403fde-bb34-41cf-b909-dd094d8494dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=9e4e939d-691d-4fe5-a9d8-ef06a786ec38 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erf**51b ]Ɋ& !b51 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=90403fde-bb34-41cf-b909-dd094d8494dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=9e4e939d-691d-4fe5-a9d8-ef06a786ec38 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**X61b ]Ɋ&  !Xb61 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8e997191-b254-40de-9bf6-3f8e6ab0d727 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=acX**p71b ]Ɋ&  !Xb71 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8e997191-b254-40de-9bf6-3f8e6ab0d727 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=map**p81b ]Ɋ&  !Xb81 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8e997191-b254-40de-9bf6-3f8e6ab0d727 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== @(p**h91b ]Ɋ&  !Xb91 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8e997191-b254-40de-9bf6-3f8e6ab0d727 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Hh**h:1b ]Ɋ&  !Xb:1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8e997191-b254-40de-9bf6-3f8e6ab0d727 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=arp h**h;1b ]Ɋ&  !Xb;1 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8e997191-b254-40de-9bf6-3f8e6ab0d727 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nonh**<1b ]Ɋ&  !b<1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8e997191-b254-40de-9bf6-3f8e6ab0d727 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=4a1787ee-d48e-44fa-ab12-cd08c3d369b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ion**=1b ]Ɋ& !b=1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8e997191-b254-40de-9bf6-3f8e6ab0d727 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=4a1787ee-d48e-44fa-ab12-cd08c3d369b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mndLine= ElfChnk>1N1>1N18p,:pnMu=VysMc&&**(>1;Sb ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X;Sb>1 F&F%g>9{p(xlMD EventDatauoData !BinaryT AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e67ab0f6-8026-4764-a1ce-6c38f9a70dc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pe(**8?1;Sb ]Ɋ&  !X;Sb?1 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e67ab0f6-8026-4764-a1ce-6c38f9a70dc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s8**8@1;Sb ]Ɋ&  !X;Sb@1 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e67ab0f6-8026-4764-a1ce-6c38f9a70dc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ate8**0A1;Sb ]Ɋ&  !X;SbA1 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e67ab0f6-8026-4764-a1ce-6c38f9a70dc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rit0**0B1;Sb ]Ɋ&  !X;SbB1 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e67ab0f6-8026-4764-a1ce-6c38f9a70dc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0C1;Sb ]Ɋ&  !X;SbC1 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e67ab0f6-8026-4764-a1ce-6c38f9a70dc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**D1;Sb ]Ɋ&  !;SbD1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e67ab0f6-8026-4764-a1ce-6c38f9a70dc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=300bf151-4bf5-40d8-b451-fc85bbffa4b1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y **E1b ]Ɋ&  !bE1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=e67ab0f6-8026-4764-a1ce-6c38f9a70dc3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=300bf151-4bf5-40d8-b451-fc85bbffa4b1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $**F1b ]Ɋ&  !XbF1 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b89e490d-8fe2-408a-8b03-3c0e1439df31 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ry {**G1b ]Ɋ&  !XbG1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b89e490d-8fe2-408a-8b03-3c0e1439df31 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **H1b ]Ɋ& !XbH1 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b89e490d-8fe2-408a-8b03-3c0e1439df31 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ur**I1b ]Ɋ&  !XbI1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b89e490d-8fe2-408a-8b03-3c0e1439df31 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ca**J1b ]Ɋ&  !XbJ1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b89e490d-8fe2-408a-8b03-3c0e1439df31 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=io**K1b ]Ɋ&  !XbK1 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b89e490d-8fe2-408a-8b03-3c0e1439df31 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**L1b ]Ɋ& O!bL1 F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b89e490d-8fe2-408a-8b03-3c0e1439df31 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=33294386-9ee3-4b2d-a700-83f623e7bdd3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**M1hb ]Ɋ& [!hbM1 F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b89e490d-8fe2-408a-8b03-3c0e1439df31 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=33294386-9ee3-4b2d-a700-83f623e7bdd3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cat**8 N1b ]Ɋ&  !XbN1 F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ba0bb530-8728-4d9b-91b4-cfe0529c51c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ed8 yUsageExtens ]Ɋ& ceXbO1 F& $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=4a1787ee-d48e-44fa-ab12-cd08c3d369b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mndLine= ElfChnkO1c1O1c1EMu=VysMc&&**XO1b ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! 5 !XbO1 F&F%g>9{p(xlMD EventDatauoData !Binary EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ba0bb530-8728-4d9b-91b4-cfe0529c51c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= RX**P P1b ]Ɋ&  !XbP1 F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ba0bb530-8728-4d9b-91b4-cfe0529c51c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1 P **H Q1b ]Ɋ&  !XbQ1 F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ba0bb530-8728-4d9b-91b4-cfe0529c51c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=apteH **H R1b ]Ɋ&  !XbR1 F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ba0bb530-8728-4d9b-91b4-cfe0529c51c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GateH **H S1b ]Ɋ&  !XbS1 F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ba0bb530-8728-4d9b-91b4-cfe0529c51c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$cfH ** T1b ]Ɋ&  !bT1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ba0bb530-8728-4d9b-91b4-cfe0529c51c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=8eeeac06-7e59-4004-9413-a06557af585c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ ** U1b ]Ɋ&  !bU1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ba0bb530-8728-4d9b-91b4-cfe0529c51c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=8eeeac06-7e59-4004-9413-a06557af585c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** V1b ]Ɋ& w !XbV1 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7a18868c-9497-436a-94fd-7cc5751596f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8W1b ]Ɋ&  !XbW1 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7a18868c-9497-436a-94fd-7cc5751596f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S8**8X1b ]Ɋ&  !XbX1 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7a18868c-9497-436a-94fd-7cc5751596f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th 8**0Y1b ]Ɋ&  !XbY1 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7a18868c-9497-436a-94fd-7cc5751596f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t c0**0Z1b ]Ɋ&  !XbZ1 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7a18868c-9497-436a-94fd-7cc5751596f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ett0**0[1b ]Ɋ&  !Xb[1 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7a18868c-9497-436a-94fd-7cc5751596f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ll0**\1b ]Ɋ&  !b\1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7a18868c-9497-436a-94fd-7cc5751596f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=911e6b3d-8876-43f6-8fd4-f6194afce1cd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rA**]1+Nb ]Ɋ&  !+Nb]1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=7a18868c-9497-436a-94fd-7cc5751596f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=911e6b3d-8876-43f6-8fd4-f6194afce1cd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$set**^1b ]Ɋ& K!Xb^1 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=70ab09f4-f7c4-4982-a145-bcca89dea1ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rig**_1b ]Ɋ& c!Xb_1 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=70ab09f4-f7c4-4982-a145-bcca89dea1ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tio**`1b ]Ɋ& _!Xb`1 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=70ab09f4-f7c4-4982-a145-bcca89dea1ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**a1b ]Ɋ& W!Xba1 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=70ab09f4-f7c4-4982-a145-bcca89dea1ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**b1b ]Ɋ& W!Xbb1 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=70ab09f4-f7c4-4982-a145-bcca89dea1ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **c1b ]Ɋ& Y!Xbc1 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=70ab09f4-f7c4-4982-a145-bcca89dea1ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= killed++  ]Ɋ&  Ebd1 F& PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ed8 yUsageExtens ]Ɋ& ceXbO1 F& $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=4a1787ee-d48e-44fa-ab12-cd08c3d369b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mndLine= ElfChnkd1|1d1|18xVoJMu=VysMc&&**X d1b ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! 9!bd1 F&F%g>9{p(xlMD EventDatauoData !BinaryAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=70ab09f4-f7c4-4982-a145-bcca89dea1ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=3930f27d-adcc-428f-b7f5-37f979cf5659 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X **`e1b ]Ɋ& !be1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=70ab09f4-f7c4-4982-a145-bcca89dea1ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=3930f27d-adcc-428f-b7f5-37f979cf5659 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** f1b ]Ɋ& w !Xbf1 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=221ff5ce-c981-47c8-b429-0ac58863e9c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8g1b ]Ɋ&  !Xbg1 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=221ff5ce-c981-47c8-b429-0ac58863e9c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P8**8h1b ]Ɋ&  !Xbh1 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=221ff5ce-c981-47c8-b429-0ac58863e9c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4-c8**0i1b ]Ɋ&  !Xbi1 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=221ff5ce-c981-47c8-b429-0ac58863e9c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=led0**0j1b ]Ɋ&  !Xbj1 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=221ff5ce-c981-47c8-b429-0ac58863e9c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ptu0**0k1b ]Ɋ&  !Xbk1 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=221ff5ce-c981-47c8-b429-0ac58863e9c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0.0**l1b ]Ɋ&  !bl1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=221ff5ce-c981-47c8-b429-0ac58863e9c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b148d7e7-70c1-4dba-9d9a-501dc3bc791c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=,I**m1Xb ]Ɋ&  !Xbm1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=221ff5ce-c981-47c8-b429-0ac58863e9c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b148d7e7-70c1-4dba-9d9a-501dc3bc791c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omma** n1Xb ]Ɋ&  !XXbn1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3e13d4b1-3d57-4e16-b092-8a92a3684a93 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** o1Xb ]Ɋ&  !XXbo1 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3e13d4b1-3d57-4e16-b092-8a92a3684a93 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p ** p1Xb ]Ɋ&  !XXbp1 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3e13d4b1-3d57-4e16-b092-8a92a3684a93 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** q1Xb ]Ɋ&  !XXbq1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3e13d4b1-3d57-4e16-b092-8a92a3684a93 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sta ** r1Xb ]Ɋ&  !XXbr1 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3e13d4b1-3d57-4e16-b092-8a92a3684a93 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rst ** s1Xb ]Ɋ&  !XXbs1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3e13d4b1-3d57-4e16-b092-8a92a3684a93 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t ** t1Xb ]Ɋ& e !Xbt1 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3e13d4b1-3d57-4e16-b092-8a92a3684a93 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=14d3e425-01d7-4f3d-aea8-08259d97d416 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=7c ** u1b ]Ɋ& q !bu1 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=3e13d4b1-3d57-4e16-b092-8a92a3684a93 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=14d3e425-01d7-4f3d-aea8-08259d97d416 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=CAdd **v1b ]Ɋ& 7!Xbv1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9e635814-2ec2-4c1d-a647-63b5e8e5c14c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**w1b ]Ɋ& O!Xbw1 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9e635814-2ec2-4c1d-a647-63b5e8e5c14c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **x1b ]Ɋ& K!Xbx1 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9e635814-2ec2-4c1d-a647-63b5e8e5c14c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -**y1b ]Ɋ& C!Xby1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9e635814-2ec2-4c1d-a647-63b5e8e5c14c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Med**z1b ]Ɋ& C!Xbz1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9e635814-2ec2-4c1d-a647-63b5e8e5c14c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t {**{1b ]Ɋ& E!Xb{1 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9e635814-2ec2-4c1d-a647-63b5e8e5c14c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=re**@|1b ]Ɋ& !b|1 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9e635814-2ec2-4c1d-a647-63b5e8e5c14c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=303eb1bf-1579-48d8-82ea-061f8c0efc17 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @ }  ]Ɋ& ',Xb}1 F&-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=4a1787ee-d48e-44fa-ab12-cd08c3d369b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mndLine= ElfChnk}11}11p.h۩Mu=VysMc&&**`}1b ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! =!Xb}1 F&F%g>9{p(xlMD EventDatauoData !Binary AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=092857ce-e5b2-4765-8e03-b1529aa24aaa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=stV`**p~1b ]Ɋ&  !Xb~1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=092857ce-e5b2-4765-8e03-b1529aa24aaa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cep**p1b ]Ɋ&  !Xb1 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=092857ce-e5b2-4765-8e03-b1529aa24aaa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c6 p**h1b ]Ɋ&  !Xb1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=092857ce-e5b2-4765-8e03-b1529aa24aaa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ell.h**h1b ]Ɋ&  !Xb1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=092857ce-e5b2-4765-8e03-b1529aa24aaa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=actih**h1b ]Ɋ&  !Xb1 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=092857ce-e5b2-4765-8e03-b1529aa24aaa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ss h**1b ]Ɋ&  !b1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=092857ce-e5b2-4765-8e03-b1529aa24aaa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=264bc05f-9ae0-4a8e-a490-7b41cafb0d4f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if **1b ]Ɋ& !b1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=092857ce-e5b2-4765-8e03-b1529aa24aaa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=264bc05f-9ae0-4a8e-a490-7b41cafb0d4f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **P1b ]Ɋ& !b1 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9e635814-2ec2-4c1d-a647-63b5e8e5c14c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=303eb1bf-1579-48d8-82ea-061f8c0efc17 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nstaP**X1b ]Ɋ&  !Xb1 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c33f6ce8-3031-47e7-b065-6df80b6b4762 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**p1b ]Ɋ&  !Xb1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c33f6ce8-3031-47e7-b065-6df80b6b4762 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r.p**p1b ]Ɋ&  !Xb1 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c33f6ce8-3031-47e7-b065-6df80b6b4762 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mandp**h1b ]Ɋ&  !Xb1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c33f6ce8-3031-47e7-b065-6df80b6b4762 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ig =h**h1b ]Ɋ&  !Xb1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c33f6ce8-3031-47e7-b065-6df80b6b4762 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eVerh**h1b ]Ɋ&  !Xb1 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c33f6ce8-3031-47e7-b065-6df80b6b4762 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=herh**1b ]Ɋ&  !b1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c33f6ce8-3031-47e7-b065-6df80b6b4762 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=49fe4166-151f-46b2-a13e-a11f95860699 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -**1b ]Ɋ& !b1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c33f6ce8-3031-47e7-b065-6df80b6b4762 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=49fe4166-151f-46b2-a13e-a11f95860699 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**H1yc ]Ɋ& !Xyc1 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8fdd937e-3f6b-44ad-97f1-7f9e78b12f98 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SH**`1yc ]Ɋ& !Xyc1 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8fdd937e-3f6b-44ad-97f1-7f9e78b12f98 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n`d= Command ]Ɋ& h=Xyc1 F&}  ]Ɋ& ',Xb}1 F&-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=4a1787ee-d48e-44fa-ab12-cd08c3d369b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mndLine= ElfChnk1111H"^eAr\Mu=VysMc&&**`1yc ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! C!Xyc1 F&F%g>9{p(xlMD EventDatauoData !BinaryFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8fdd937e-3f6b-44ad-97f1-7f9e78b12f98 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=`**X1yc ]Ɋ& !Xyc1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8fdd937e-3f6b-44ad-97f1-7f9e78b12f98 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=luX**X1yc ]Ɋ& !Xyc1 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8fdd937e-3f6b-44ad-97f1-7f9e78b12f98 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ERX**X1yc ]Ɋ& !Xyc1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8fdd937e-3f6b-44ad-97f1-7f9e78b12f98 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nPX**1yc ]Ɋ& !yc1 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8fdd937e-3f6b-44ad-97f1-7f9e78b12f98 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=1c75a77d-f5f7-4c66-8c92-57f1574325ac PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er**1c ]Ɋ&  !c1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8fdd937e-3f6b-44ad-97f1-7f9e78b12f98 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=1c75a77d-f5f7-4c66-8c92-57f1574325ac PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } **1c ]Ɋ& K!Xc1 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0ab4a47c-5ec3-4581-9c9f-bf8454368d69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=E_C**1c ]Ɋ& c!Xc1 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0ab4a47c-5ec3-4581-9c9f-bf8454368d69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pto**1c ]Ɋ& _!Xc1 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0ab4a47c-5ec3-4581-9c9f-bf8454368d69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**1c ]Ɋ& W!Xc1 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0ab4a47c-5ec3-4581-9c9f-bf8454368d69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.**1c ]Ɋ& W!Xc1 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0ab4a47c-5ec3-4581-9c9f-bf8454368d69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**1c ]Ɋ& Y!Xc1 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0ab4a47c-5ec3-4581-9c9f-bf8454368d69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ESSA**X1c ]Ɋ& !c1 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0ab4a47c-5ec3-4581-9c9f-bf8454368d69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=d0a78043-3ef9-4537-bf9b-96f2fecc875d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**`1c ]Ɋ& !c1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0ab4a47c-5ec3-4581-9c9f-bf8454368d69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=d0a78043-3ef9-4537-bf9b-96f2fecc875d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i`** 1c ]Ɋ& w !Xc1 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9a6f007b-548f-4495-a9a0-6074d76b1651 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a **81c ]Ɋ&  !Xc1 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9a6f007b-548f-4495-a9a0-6074d76b1651 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o8**81c ]Ɋ&  !Xc1 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9a6f007b-548f-4495-a9a0-6074d76b1651 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c 8**01c ]Ɋ&  !Xc1 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9a6f007b-548f-4495-a9a0-6074d76b1651 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ate0**01c ]Ɋ&  !Xc1 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9a6f007b-548f-4495-a9a0-6074d76b1651 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cur0**01c ]Ɋ&  !Xc1 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9a6f007b-548f-4495-a9a0-6074d76b1651 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**1c ]Ɋ&  !c1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9a6f007b-548f-4495-a9a0-6074d76b1651 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b7a19def-afe3-463e-b2b1-7a8729053b8e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=yp**1 c ]Ɋ&  ! c1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=9a6f007b-548f-4495-a9a0-6074d76b1651 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b7a19def-afe3-463e-b2b1-7a8729053b8e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=urit** 1 c ]Ɋ&  !X c1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7df400ec-77fb-4317-a2f2-027e7a22e541 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S ** 1 c ]Ɋ&  !X c1 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7df400ec-77fb-4317-a2f2-027e7a22e541 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 1 c ]Ɋ&  !X c1 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7df400ec-77fb-4317-a2f2-027e7a22e541 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eEx ** 1 c ]Ɋ&  !X c1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7df400ec-77fb-4317-a2f2-027e7a22e541 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.St ** 1 c ]Ɋ&  !X c1 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7df400ec-77fb-4317-a2f2-027e7a22e541 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 1 c ]Ɋ&  !X c1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7df400ec-77fb-4317-a2f2-027e7a22e541 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=RR :$($_.Except ]Ɋ&   c1 F&a-ab12-cd08c3d369b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mndLine= ElfChnk1111pMu=VysMc&&**1 c ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  ! c1 F&F%g>9{p(xlMD EventDatauoData !BinaryB AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7df400ec-77fb-4317-a2f2-027e7a22e541 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=69538629-c90e-4805-98d0-3a19bcc01769 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=enc** 1 c ]Ɋ& q ! c1 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7df400ec-77fb-4317-a2f2-027e7a22e541 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=69538629-c90e-4805-98d0-3a19bcc01769 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pass **1Oc ]Ɋ& 7!XOc1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0078479c-3368-4e57-8200-fa8f9227cb96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l**1Oc ]Ɋ& O!XOc1 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0078479c-3368-4e57-8200-fa8f9227cb96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**1Oc ]Ɋ& K!XOc1 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0078479c-3368-4e57-8200-fa8f9227cb96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=spa**1Oc ]Ɋ& C!XOc1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0078479c-3368-4e57-8200-fa8f9227cb96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ver**1Oc ]Ɋ& C!XOc1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0078479c-3368-4e57-8200-fa8f9227cb96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= E**1Oc ]Ɋ& E!XOc1 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0078479c-3368-4e57-8200-fa8f9227cb96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pr**@1Oc ]Ɋ& !Oc1 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0078479c-3368-4e57-8200-fa8f9227cb96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=f75ce9c7-bc45-43c2-be11-203eabcb0e34 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ac@**P1Oc ]Ɋ& !Oc1 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0078479c-3368-4e57-8200-fa8f9227cb96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=f75ce9c7-bc45-43c2-be11-203eabcb0e34 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=96f2P**H1,d ]Ɋ& !X,d1 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=58143d0e-8c09-4262-8ec2-00a96cc93fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=yH**`1,d ]Ɋ& !X,d1 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=58143d0e-8c09-4262-8ec2-00a96cc93fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t`**`1,d ]Ɋ& !X,d1 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=58143d0e-8c09-4262-8ec2-00a96cc93fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er `**X1,d ]Ɋ& !X,d1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=58143d0e-8c09-4262-8ec2-00a96cc93fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n |X**X1,d ]Ɋ& !X,d1 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=58143d0e-8c09-4262-8ec2-00a96cc93fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**X1,d ]Ɋ& !X,d1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=58143d0e-8c09-4262-8ec2-00a96cc93fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -X**1,d ]Ɋ& !,d1 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=58143d0e-8c09-4262-8ec2-00a96cc93fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=0a3bef50-3818-49b5-b268-fd039a4eeda1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ta**1=d ]Ɋ&  !=d1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=58143d0e-8c09-4262-8ec2-00a96cc93fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=0a3bef50-3818-49b5-b268-fd039a4eeda1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omma**1QVJd ]Ɋ& K!XQVJd1 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=90b8f606-5963-46da-bb69-418487263bf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tAd**1QVJd ]Ɋ& c!XQVJd1 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=90b8f606-5963-46da-bb69-418487263bf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-an**1QVJd ]Ɋ& _!XQVJd1 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=90b8f606-5963-46da-bb69-418487263bf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u**1QVJd ]Ɋ& W!XQVJd1 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=90b8f606-5963-46da-bb69-418487263bf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **1QVJd ]Ɋ& W!XQVJd1 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=90b8f606-5963-46da-bb69-418487263bf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C**1QVJd ]Ɋ& Y!XQVJd1 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=90b8f606-5963-46da-bb69-418487263bf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dapt**X1QVJd ]Ɋ& !QVJd1 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=90b8f606-5963-46da-bb69-418487263bf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=1ce1ba6f-dea0-4903-af81-62602f3a5fea PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= CoX**`1Jd ]Ɋ& !Jd1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=90b8f606-5963-46da-bb69-418487263bf4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=1ce1ba6f-dea0-4903-af81-62602f3a5fea PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rf`** 1Jd ]Ɋ& w !XJd1 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9d3c7d2c-fdde-484c-b806-3ae64077ca7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u **81Jd ]Ɋ&  !XJd1 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9d3c7d2c-fdde-484c-b806-3ae64077ca7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a8**81Jd ]Ɋ&  !XJd1 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9d3c7d2c-fdde-484c-b806-3ae64077ca7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ver8**01Jd ]Ɋ&  !XJd1 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9d3c7d2c-fdde-484c-b806-3ae64077ca7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=]Ɋ&0**01Jd ]Ɋ&  !XJd1 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9d3c7d2c-fdde-484c-b806-3ae64077ca7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x $0**01Jd ]Ɋ&  !XJd1 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9d3c7d2c-fdde-484c-b806-3ae64077ca7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Id0 PipelineId ]Ɋ&  CJd1 F& ** 1 c ]Ɋ&  !X c1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7df400ec-77fb-4317-a2f2-027e7a22e541 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=RR :$($_.Except ]Ɋ&   c1 F&a-ab12-cd08c3d369b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mndLine= ElfChnk1111u5 ,Mu=VysMc&&**1Jd ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! e!Jd1 F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9d3c7d2c-fdde-484c-b806-3ae64077ca7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=fdaacc28-4de7-4792-936f-6d4e8578f868 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erA**1~Kd ]Ɋ&  !~Kd1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=9d3c7d2c-fdde-484c-b806-3ae64077ca7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=fdaacc28-4de7-4792-936f-6d4e8578f868 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { ** 1~Kd ]Ɋ&  !X~Kd1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7dc77f2b-49b5-48ba-9b76-bc1f2547b353 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 1~Kd ]Ɋ&  !X~Kd1 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7dc77f2b-49b5-48ba-9b76-bc1f2547b353 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l ** 1~Kd ]Ɋ&  !X~Kd1 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7dc77f2b-49b5-48ba-9b76-bc1f2547b353 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ile ** 1~Kd ]Ɋ&  !X~Kd1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7dc77f2b-49b5-48ba-9b76-bc1f2547b353 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nam ** 1~Kd ]Ɋ&  !X~Kd1 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7dc77f2b-49b5-48ba-9b76-bc1f2547b353 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Fi ** 1~Kd ]Ɋ&  !X~Kd1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7dc77f2b-49b5-48ba-9b76-bc1f2547b353 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H ** 1~Kd ]Ɋ& e !~Kd1 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7dc77f2b-49b5-48ba-9b76-bc1f2547b353 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=336a5f3c-d35b-4985-aaa7-c5da7934da8f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pt ** 1 Ld ]Ɋ& q ! Ld1 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7dc77f2b-49b5-48ba-9b76-bc1f2547b353 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=336a5f3c-d35b-4985-aaa7-c5da7934da8f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=]@{ **1 Ld ]Ɋ& 7!X Ld1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=507e09d9-6095-4a31-b7c4-934cd9c834ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c**1 Ld ]Ɋ& O!X Ld1 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=507e09d9-6095-4a31-b7c4-934cd9c834ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r**1 Ld ]Ɋ& K!X Ld1 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=507e09d9-6095-4a31-b7c4-934cd9c834ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} |**1 Ld ]Ɋ& C!X Ld1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=507e09d9-6095-4a31-b7c4-934cd9c834ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -**1 Ld ]Ɋ& C!X Ld1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=507e09d9-6095-4a31-b7c4-934cd9c834ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Dr**1 Ld ]Ɋ& E!X Ld1 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=507e09d9-6095-4a31-b7c4-934cd9c834ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eq**@1 Ld ]Ɋ& ! Ld1 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=507e09d9-6095-4a31-b7c4-934cd9c834ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=4323af84-e33f-4c1d-a5ea-8b8bd5e392b6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {@**P1 Ld ]Ɋ& ! Ld1 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=507e09d9-6095-4a31-b7c4-934cd9c834ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=4323af84-e33f-4c1d-a5ea-8b8bd5e392b6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=(GetP**H1JYd ]Ɋ& !XJYd1 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=81bd56e8-61f4-4ed7-bc34-acf9f7d20da1 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cH**`1JYd ]Ɋ& !XJYd1 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=81bd56e8-61f4-4ed7-bc34-acf9f7d20da1 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P`**`1JYd ]Ɋ& !XJYd1 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=81bd56e8-61f4-4ed7-bc34-acf9f7d20da1 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H`**X1JYd ]Ɋ& !XJYd1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=81bd56e8-61f4-4ed7-bc34-acf9f7d20da1 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ObjX**X1JYd ]Ɋ& !XJYd1 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=81bd56e8-61f4-4ed7-bc34-acf9f7d20da1 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SelX**X1JYd ]Ɋ& !XJYd1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=81bd56e8-61f4-4ed7-bc34-acf9f7d20da1 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==FX**1JYd ]Ɋ& !JYd1 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=81bd56e8-61f4-4ed7-bc34-acf9f7d20da1 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=8f4ee9b0-db4a-42ac-b9eb-69d9cc055d6a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **1 Ed ]Ɋ&  ! Ed1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=81bd56e8-61f4-4ed7-bc34-acf9f7d20da1 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=8f4ee9b0-db4a-42ac-b9eb-69d9cc055d6a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ $_**X1:d ]Ɋ&  !X:d1 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=96b934fe-bc0b-4782-9d00-327ec96bd0e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.DX**p1:d ]Ɋ&  !X:d1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=96b934fe-bc0b-4782-9d00-327ec96bd0e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rep**p1:d ]Ɋ&  !X:d1 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=96b934fe-bc0b-4782-9d00-327ec96bd0e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 1 p**h1:d ]Ɋ&  !X:d1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=96b934fe-bc0b-4782-9d00-327ec96bd0e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a-abh-cd08c3d369b ]Ɋ&  SX:d1 F&ommandLine=mndLine= ElfChnk1111 ǥMu=VysMc&&**h1:d ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!X:d1 F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=96b934fe-bc0b-4782-9d00-327ec96bd0e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mh**h1:d ]Ɋ&  !X:d1 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=96b934fe-bc0b-4782-9d00-327ec96bd0e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== h**1:d ]Ɋ&  !:d1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=96b934fe-bc0b-4782-9d00-327ec96bd0e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5829b4ad-6be7-4888-adae-4f5acc0fbc19 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ceI**1:d ]Ɋ& !:d1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=96b934fe-bc0b-4782-9d00-327ec96bd0e1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5829b4ad-6be7-4888-adae-4f5acc0fbc19 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**X1Ud ]Ɋ&  !XUd1 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1c334dd3-8a84-4245-889f-5326218e6d7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndX**p1Ud ]Ɋ&  !XUd1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1c334dd3-8a84-4245-889f-5326218e6d7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nap**p1Ud ]Ɋ&  !XUd1 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1c334dd3-8a84-4245-889f-5326218e6d7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) p**h1Ud ]Ɋ&  !XUd1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1c334dd3-8a84-4245-889f-5326218e6d7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ostAh**h1Ud ]Ɋ&  !XUd1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1c334dd3-8a84-4245-889f-5326218e6d7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=commh**h1Ud ]Ɋ&  !XUd1 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1c334dd3-8a84-4245-889f-5326218e6d7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**1Ud ]Ɋ&  !Ud1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1c334dd3-8a84-4245-889f-5326218e6d7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=0b484b48-a69f-4f12-b72b-8b0c53f1382b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **1Ud ]Ɋ& !Ud1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1c334dd3-8a84-4245-889f-5326218e6d7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=0b484b48-a69f-4f12-b72b-8b0c53f1382b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S** 1Ud ]Ɋ& w !XUd1 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e4517641-bda5-4855-a0c3-56ecd6b633e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C **81Ud ]Ɋ&  !XUd1 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e4517641-bda5-4855-a0c3-56ecd6b633e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h8**81Ud ]Ɋ&  !XUd1 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e4517641-bda5-4855-a0c3-56ecd6b633e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**01Ud ]Ɋ&  !XUd1 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e4517641-bda5-4855-a0c3-56ecd6b633e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nha0**01Ud ]Ɋ&  !XUd1 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e4517641-bda5-4855-a0c3-56ecd6b633e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0 if ( ]Ɋ&  XUd1 F&eyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a-abh-cd08c3d369b ]Ɋ&  SX:d1 F&ommandLine=mndLine= ElfChnk12128pHjMu=VysMc&&**81Ud ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XUd1 F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e4517641-bda5-4855-a0c3-56ecd6b633e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndP8**1Ud ]Ɋ&  !Ud1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e4517641-bda5-4855-a0c3-56ecd6b633e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=873a6614-9a40-4a82-a7f3-c97df9b9ed60 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd**1\d ]Ɋ&  !\d1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=e4517641-bda5-4855-a0c3-56ecd6b633e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=873a6614-9a40-4a82-a7f3-c97df9b9ed60 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Co**1d ]Ɋ&  !Xd1 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4cf61a03-c06d-4f05-a2b3-055e52e97b15 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pe= **1d ]Ɋ&  !Xd1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4cf61a03-c06d-4f05-a2b3-055e52e97b15 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd**2d ]Ɋ& !Xd2 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4cf61a03-c06d-4f05-a2b3-055e52e97b15 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**2d ]Ɋ&  !Xd2 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4cf61a03-c06d-4f05-a2b3-055e52e97b15 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**2d ]Ɋ&  !Xd2 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4cf61a03-c06d-4f05-a2b3-055e52e97b15 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**2d ]Ɋ&  !Xd2 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4cf61a03-c06d-4f05-a2b3-055e52e97b15 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r**2d ]Ɋ& O!d2 F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4cf61a03-c06d-4f05-a2b3-055e52e97b15 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=2d84d6b8-bc60-4650-baf9-1fb5b13bbea6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**2d ]Ɋ& [!d2 F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4cf61a03-c06d-4f05-a2b3-055e52e97b15 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=2d84d6b8-bc60-4650-baf9-1fb5b13bbea6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4.0**2&d ]Ɋ& K!X&d2 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7884aa9e-b5fa-4caf-b6b9-0a640089fead HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **2&d ]Ɋ& c!X&d2 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7884aa9e-b5fa-4caf-b6b9-0a640089fead HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4f1**2&d ]Ɋ& _!X&d2 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7884aa9e-b5fa-4caf-b6b9-0a640089fead HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 2&d ]Ɋ& W!X&d 2 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7884aa9e-b5fa-4caf-b6b9-0a640089fead HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 2&d ]Ɋ& W!X&d 2 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7884aa9e-b5fa-4caf-b6b9-0a640089fead HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P** 2&d ]Ɋ& Y!X&d 2 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7884aa9e-b5fa-4caf-b6b9-0a640089fead HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$mac**X 2&d ]Ɋ& !&d 2 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7884aa9e-b5fa-4caf-b6b9-0a640089fead HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=5551b4e1-a36b-4242-9334-f6bccb263535 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=roviX**` 2Ed ]Ɋ& !Ed 2 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7884aa9e-b5fa-4caf-b6b9-0a640089fead HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=5551b4e1-a36b-4242-9334-f6bccb263535 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c `** 2Ed ]Ɋ& w !XEd2 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9bc07e32-e80c-4013-afea-cbf2f1a78e1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **82Ed ]Ɋ&  !XEd2 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9bc07e32-e80c-4013-afea-cbf2f1a78e1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$8c = $adapter ]Ɋ&  XEd2 F&his route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0 if ( ]Ɋ&  XUd1 F&eyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a-abh-cd08c3d369b ]Ɋ&  SX:d1 F&ommandLine=mndLine= ElfChnk2'22'2@a(Mu=VysMc&&**82Ed ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XEd2 F&F%g>9{p(xlMD EventDatauoData !Binaryh FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9bc07e32-e80c-4013-afea-cbf2f1a78e1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**02Ed ]Ɋ&  !XEd2 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9bc07e32-e80c-4013-afea-cbf2f1a78e1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ptN0**02Ed ]Ɋ&  !XEd2 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9bc07e32-e80c-4013-afea-cbf2f1a78e1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pel0**02Ed ]Ɋ&  !XEd2 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9bc07e32-e80c-4013-afea-cbf2f1a78e1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= t0**2Ed ]Ɋ&  !Ed2 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9bc07e32-e80c-4013-afea-cbf2f1a78e1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=78caca37-1d85-421d-bef6-5ad85bb67643 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine="W**2Wd ]Ɋ&  !Wd2 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=9bc07e32-e80c-4013-afea-cbf2f1a78e1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=78caca37-1d85-421d-bef6-5ad85bb67643 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=age ** 2Wd ]Ɋ&  !XWd2 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3aa16da0-96a4-49f0-aa54-7a4aa44a0dc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t ** 2Wd ]Ɋ&  !XWd2 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3aa16da0-96a4-49f0-aa54-7a4aa44a0dc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i ** 2Wd ]Ɋ&  !XWd2 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3aa16da0-96a4-49f0-aa54-7a4aa44a0dc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s c ** 2Wd ]Ɋ&  !XWd2 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3aa16da0-96a4-49f0-aa54-7a4aa44a0dc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rAc ** 2Wd ]Ɋ&  !XWd2 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3aa16da0-96a4-49f0-aa54-7a4aa44a0dc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 2Wd ]Ɋ&  !XWd2 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3aa16da0-96a4-49f0-aa54-7a4aa44a0dc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l ** 2Wd ]Ɋ& e !Wd2 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3aa16da0-96a4-49f0-aa54-7a4aa44a0dc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=646d22e4-9da6-488b-9a12-daec7773c011 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ta ** 2Wd ]Ɋ& q !Wd2 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=3aa16da0-96a4-49f0-aa54-7a4aa44a0dc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=646d22e4-9da6-488b-9a12-daec7773c011 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ject **2rd ]Ɋ& 7!Xrd2 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7b2c64c3-337c-480d-8fe2-47c367e1ddf9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**2rd ]Ɋ& O!Xrd2 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7b2c64c3-337c-480d-8fe2-47c367e1ddf9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s** 2rd ]Ɋ& K!Xrd 2 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7b2c64c3-337c-480d-8fe2-47c367e1ddf9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t -**!2rd ]Ɋ& C!Xrd!2 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7b2c64c3-337c-480d-8fe2-47c367e1ddf9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Wmi**"2rd ]Ɋ& C!Xrd"2 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7b2c64c3-337c-480d-8fe2-47c367e1ddf9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and**#2rd ]Ɋ& E!Xrd#2 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7b2c64c3-337c-480d-8fe2-47c367e1ddf9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=By**@$2rd ]Ɋ& !rd$2 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7b2c64c3-337c-480d-8fe2-47c367e1ddf9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=b87a162f-8ddb-4437-8b91-a3adaadef82d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -@**P%2rd ]Ɋ& !rd%2 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7b2c64c3-337c-480d-8fe2-47c367e1ddf9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=b87a162f-8ddb-4437-8b91-a3adaadef82d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ecutP**8 &2 d ]Ɋ&  !X d&2 F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5d7c96ee-1d96-4f67-8514-e5b6505d6fe5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H8 **P '2 d ]Ɋ&  !X d'2 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5d7c96ee-1d96-4f67-8514-e5b6505d6fe5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=anP try next  ]Ɋ& ndX d(2 F&{ try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0 if ( ]Ɋ&  XUd1 F&eyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a-abh-cd08c3d369b ]Ɋ&  SX:d1 F&ommandLine=mndLine= ElfChnk(2=2(2=2`1KvMu=VysMc&&**P(2 d ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! 1 !X d(2 F&F%g>9{p(xlMD EventDatauoData !Binary~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5d7c96ee-1d96-4f67-8514-e5b6505d6fe5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iP**H )2 d ]Ɋ&  !X d)2 F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5d7c96ee-1d96-4f67-8514-e5b6505d6fe5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct -H **H *2 d ]Ɋ&  !X d*2 F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5d7c96ee-1d96-4f67-8514-e5b6505d6fe5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=etwoH **H +2 d ]Ɋ&  !X d+2 F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5d7c96ee-1d96-4f67-8514-e5b6505d6fe5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=efaH ** ,2 d ]Ɋ&  ! d,2 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5d7c96ee-1d96-4f67-8514-e5b6505d6fe5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=253d9041-513a-4fef-96e5-449f75822013 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ame ** -2 d ]Ɋ&  ! d-2 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5d7c96ee-1d96-4f67-8514-e5b6505d6fe5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=253d9041-513a-4fef-96e5-449f75822013 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** .2 d ]Ɋ& w !X d.2 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=72491254-3fe8-40ab-8116-f7ff7f26c1f3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" **8/2 d ]Ɋ&  !X d/2 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=72491254-3fe8-40ab-8116-f7ff7f26c1f3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s8**802 d ]Ɋ&  !X d02 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=72491254-3fe8-40ab-8116-f7ff7f26c1f3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } 8**012 d ]Ɋ&  !X d12 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=72491254-3fe8-40ab-8116-f7ff7f26c1f3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Non0**022 d ]Ɋ&  !X d22 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=72491254-3fe8-40ab-8116-f7ff7f26c1f3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SSe0**032 d ]Ɋ&  !X d32 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=72491254-3fe8-40ab-8116-f7ff7f26c1f3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=am0**42 d ]Ɋ&  ! d42 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=72491254-3fe8-40ab-8116-f7ff7f26c1f3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5cb698ae-920d-4a58-ad66-701e07caae57 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dr**52!e ]Ɋ&  !!e52 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=72491254-3fe8-40ab-8116-f7ff7f26c1f3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5cb698ae-920d-4a58-ad66-701e07caae57 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**626e ]Ɋ& K!X6e62 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9748c7da-f630-4b43-acad-2dd1ace6ba1c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**726e ]Ɋ& c!X6e72 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9748c7da-f630-4b43-acad-2dd1ace6ba1c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**826e ]Ɋ& _!X6e82 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9748c7da-f630-4b43-acad-2dd1ace6ba1c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=L**926e ]Ɋ& W!X6e92 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9748c7da-f630-4b43-acad-2dd1ace6ba1c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r**:26e ]Ɋ& W!X6e:2 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9748c7da-f630-4b43-acad-2dd1ace6ba1c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}**;26e ]Ɋ& Y!X6e;2 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9748c7da-f630-4b43-acad-2dd1ace6ba1c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me L**X<26e ]Ɋ& !6e<2 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9748c7da-f630-4b43-acad-2dd1ace6ba1c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=18f61035-7b53-4fd3-afad-24dbe68f00c7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } X**`=26e ]Ɋ& !6e=2 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9748c7da-f630-4b43-acad-2dd1ace6ba1c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=18f61035-7b53-4fd3-afad-24dbe68f00c7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1 ` } if ( ]Ɋ&  X6e>2 F&mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0 if ( ]Ɋ&  XUd1 F&eyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a-abh-cd08c3d369b ]Ɋ&  SX:d1 F&ommandLine=mndLine= ElfChnk>2P2>2P2hclpU{0Mu=VysMc&&**(>26e ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X6e>2 F&F%g>9{p(xlMD EventDatauoData !BinaryT AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d36f2b73-3e2c-4d81-a776-80d7ed5b802d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S(**8?26e ]Ɋ&  !X6e?2 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d36f2b73-3e2c-4d81-a776-80d7ed5b802d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=08**8@26e ]Ɋ&  !X6e@2 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d36f2b73-3e2c-4d81-a776-80d7ed5b802d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nPo8**0A26e ]Ɋ&  !X6eA2 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d36f2b73-3e2c-4d81-a776-80d7ed5b802d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 'M0**0B26e ]Ɋ&  !X6eB2 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d36f2b73-3e2c-4d81-a776-80d7ed5b802d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ows0**0C26e ]Ɋ&  !X6eC2 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d36f2b73-3e2c-4d81-a776-80d7ed5b802d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd0**D26e ]Ɋ&  !6eD2 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d36f2b73-3e2c-4d81-a776-80d7ed5b802d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=84ea5d0a-b1d5-4a1f-950a-e49bc8c97d4a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tl**E2Re ]Ɋ&  !ReE2 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=d36f2b73-3e2c-4d81-a776-80d7ed5b802d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=84ea5d0a-b1d5-4a1f-950a-e49bc8c97d4a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=utes** F2Re ]Ɋ&  !XReF2 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=17b8e2ae-949c-4cdf-931a-8ff2009538c3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r ** G2Re ]Ɋ&  !XReG2 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=17b8e2ae-949c-4cdf-931a-8ff2009538c3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=A ** H2Re ]Ɋ&  !XReH2 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=17b8e2ae-949c-4cdf-931a-8ff2009538c3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ntl ** I2Re ]Ɋ&  !XReI2 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=17b8e2ae-949c-4cdf-931a-8ff2009538c3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=491 ** J2Re ]Ɋ&  !XReJ2 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=17b8e2ae-949c-4cdf-931a-8ff2009538c3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on ** K2Re ]Ɋ&  !XReK2 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=17b8e2ae-949c-4cdf-931a-8ff2009538c3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-n ** L2Re ]Ɋ& e !ReL2 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=17b8e2ae-949c-4cdf-931a-8ff2009538c3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=ac0ce2cf-5002-49ef-8b1f-2669cac958fc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ol **XM2Re ]Ɋ&  !XReM2 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=359a5c71-ee5c-4df6-9497-7b3e74293c44 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=veX**pN2Re ]Ɋ&  !XReN2 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=359a5c71-ee5c-4df6-9497-7b3e74293c44 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sop**pO2Re ]Ɋ&  !XReO2 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=359a5c71-ee5c-4df6-9497-7b3e74293c44 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uencp**hP2Re ]Ɋ&  !XReP2 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=359a5c71-ee5c-4df6-9497-7b3e74293c44 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_hediaType -eq ]Ɋ&  XReQ2 F&_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=18f61035-7b53-4fd3-afad-24dbe68f00c7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1 ` } if ( ]Ɋ&  X6e>2 F&mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0 if ( ]Ɋ&  XUd1 F&eyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a-abh-cd08c3d369b ]Ɋ&  SX:d1 F&ommandLine=mndLine= ElfChnkQ2i2Q2i2]{-]2Mu=VysMc&&**hQ2Re ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!XReQ2 F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=359a5c71-ee5c-4df6-9497-7b3e74293c44 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**hR2Re ]Ɋ&  !XReR2 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=359a5c71-ee5c-4df6-9497-7b3e74293c44 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**S2Re ]Ɋ&  !ReS2 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=359a5c71-ee5c-4df6-9497-7b3e74293c44 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=cb019d11-b190-43e7-9f09-d1a188823c50 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rov**T2Re ]Ɋ& !ReT2 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=359a5c71-ee5c-4df6-9497-7b3e74293c44 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=cb019d11-b190-43e7-9f09-d1a188823c50 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**XU2Re ]Ɋ&  !XReU2 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=23b9cb5b-28cb-49b0-a9fe-71ddaf450a74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t X**pV2Re ]Ɋ&  !XReV2 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=23b9cb5b-28cb-49b0-a9fe-71ddaf450a74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=6fp**pW2Re ]Ɋ&  !XReW2 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=23b9cb5b-28cb-49b0-a9fe-71ddaf450a74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==4.0p**hX2Re ]Ɋ&  !XReX2 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=23b9cb5b-28cb-49b0-a9fe-71ddaf450a74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ersih**hY2Re ]Ɋ&  !XReY2 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=23b9cb5b-28cb-49b0-a9fe-71ddaf450a74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ain)h**hZ2Re ]Ɋ&  !XReZ2 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=23b9cb5b-28cb-49b0-a9fe-71ddaf450a74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Stah**[2Re ]Ɋ&  !Re[2 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=23b9cb5b-28cb-49b0-a9fe-71ddaf450a74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5b0dbac3-de53-42e4-b042-d4f0c96add5e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omp**\2ce ]Ɋ& !ce\2 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=23b9cb5b-28cb-49b0-a9fe-71ddaf450a74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5b0dbac3-de53-42e4-b042-d4f0c96add5e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** ]2ce ]Ɋ& q !ce]2 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=17b8e2ae-949c-4cdf-931a-8ff2009538c3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=ac0ce2cf-5002-49ef-8b1f-2669cac958fc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==Con **^2ce ]Ɋ& 7!Xce^2 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b6165802-4576-4e27-b7fc-8cadd895b827 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **_2ce ]Ɋ& O!Xce_2 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b6165802-4576-4e27-b7fc-8cadd895b827 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **`2ce ]Ɋ& K!Xce`2 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b6165802-4576-4e27-b7fc-8cadd895b827 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tat**a2ce ]Ɋ& C!Xcea2 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b6165802-4576-4e27-b7fc-8cadd895b827 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **b2ce ]Ɋ& C!Xceb2 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b6165802-4576-4e27-b7fc-8cadd895b827 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xe **c2ce ]Ɋ& E!Xcec2 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b6165802-4576-4e27-b7fc-8cadd895b827 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ku**@d2ce ]Ɋ& !ced2 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b6165802-4576-4e27-b7fc-8cadd895b827 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=cbb32ff4-0882-4778-9adb-2c63b8b33f30 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@**Pe2ce ]Ɋ& !cee2 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b6165802-4576-4e27-b7fc-8cadd895b827 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=cbb32ff4-0882-4778-9adb-2c63b8b33f30 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GNERP**Hf2)e ]Ɋ& !X)ef2 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=60d17034-2fdd-4ee9-bc92-4a4ff8ce33fb HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=UH**`g2)e ]Ɋ& !X)eg2 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=60d17034-2fdd-4ee9-bc92-4a4ff8ce33fb HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e`**`h2)e ]Ɋ& !X)eh2 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=60d17034-2fdd-4ee9-bc92-4a4ff8ce33fb HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=`**Xi2)e ]Ɋ& !X)ei2 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=60d17034-2fdd-4ee9-bc92-4a4ff8ce33fb HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mXndLine= ElfChnkj22j22 1ܧMu=VysMc&&**Xj2)e ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! ;!X)ej2 F&F%g>9{p(xlMD EventDatauoData !BinaryRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=60d17034-2fdd-4ee9-bc92-4a4ff8ce33fb HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**Xk2)e ]Ɋ& !X)ek2 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=60d17034-2fdd-4ee9-bc92-4a4ff8ce33fb HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$X**l2)e ]Ɋ& !)el2 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=60d17034-2fdd-4ee9-bc92-4a4ff8ce33fb HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a1c591f4-a2bc-4dcb-bd3b-0eb337a36ffa PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **m2gYe ]Ɋ& K!XgYem2 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=79b71159-f60a-4d8b-a656-fba966539f0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($s**n2gYe ]Ɋ& c!XgYen2 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=79b71159-f60a-4d8b-a656-fba966539f0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **o2gYe ]Ɋ& _!XgYeo2 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=79b71159-f60a-4d8b-a656-fba966539f0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c**p2gYe ]Ɋ& W!XgYep2 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=79b71159-f60a-4d8b-a656-fba966539f0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**q2gYe ]Ɋ& W!XgYeq2 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=79b71159-f60a-4d8b-a656-fba966539f0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m**r2gYe ]Ɋ& Y!XgYer2 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=79b71159-f60a-4d8b-a656-fba966539f0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te-O**Xs2e ]Ɋ& !es2 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=79b71159-f60a-4d8b-a656-fba966539f0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=73a17193-a533-4e03-874b-dac6c6e6c0be PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= empX**`t2e ]Ɋ& !et2 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=79b71159-f60a-4d8b-a656-fba966539f0f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=73a17193-a533-4e03-874b-dac6c6e6c0be PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=OD`** u2e ]Ɋ& w !Xeu2 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e3630a43-ff9f-44c1-bc85-ca67f4579fde HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a **8v2e ]Ɋ&  !Xev2 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e3630a43-ff9f-44c1-bc85-ca67f4579fde HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=E8**8w2e ]Ɋ&  !Xew2 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e3630a43-ff9f-44c1-bc85-ca67f4579fde HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $8**0x2e ]Ɋ&  !Xex2 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e3630a43-ff9f-44c1-bc85-ca67f4579fde HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Pre0**0y2e ]Ɋ&  !Xey2 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e3630a43-ff9f-44c1-bc85-ca67f4579fde HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Byp0**0z2e ]Ɋ&  !Xez2 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e3630a43-ff9f-44c1-bc85-ca67f4579fde HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nt0**{2e ]Ɋ&  !e{2 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e3630a43-ff9f-44c1-bc85-ca67f4579fde HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=919661b4-62aa-46f8-80d3-4f88318a07d6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on**|2e ]Ɋ&  !e|2 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=e3630a43-ff9f-44c1-bc85-ca67f4579fde HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=919661b4-62aa-46f8-80d3-4f88318a07d6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f200** }2e ]Ɋ&  !Xe}2 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=23b35cf0-07ce-419d-aae0-327e90b506b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4 ** ~2e ]Ɋ&  !Xe~2 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=23b35cf0-07ce-419d-aae0-327e90b506b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c ** 2e ]Ɋ&  !Xe2 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=23b35cf0-07ce-419d-aae0-327e90b506b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd ** 2e ]Ɋ&  !Xe2 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=23b35cf0-07ce-419d-aae0-327e90b506b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Seq ** 2e ]Ɋ&  !Xe2 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=23b35cf0-07ce-419d-aae0-327e90b506b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= R ** 2e ]Ɋ&  !Xe2 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=23b35cf0-07ce-419d-aae0-327e90b506b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ex ** 2e ]Ɋ& e !e2 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=23b35cf0-07ce-419d-aae0-327e90b506b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=84bfc6d7-46e4-42d2-8877-2a7f42719ea3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==  CommandName= ]Ɋ& Co*#e2 F& ]Ɋ& !X)ei2 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=60d17034-2fdd-4ee9-bc92-4a4ff8ce33fb HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mXndLine= ElfChnk2222hHd%OMu=VysMc&&** 2*#e ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !*#e2 F&F%g>9{p(xlMD EventDatauoData !BinaryN StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=23b35cf0-07ce-419d-aae0-327e90b506b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=84bfc6d7-46e4-42d2-8877-2a7f42719ea3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **2*#e ]Ɋ& 7!X*#e2 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5897cd43-d8da-4525-ac4e-81ece9e0a3d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P**2*#e ]Ɋ& O!X*#e2 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5897cd43-d8da-4525-ac4e-81ece9e0a3d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**2*#e ]Ɋ& K!X*#e2 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5897cd43-d8da-4525-ac4e-81ece9e0a3d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onI**2*#e ]Ɋ& C!X*#e2 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5897cd43-d8da-4525-ac4e-81ece9e0a3d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ofi**2*#e ]Ɋ& C!X*#e2 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5897cd43-d8da-4525-ac4e-81ece9e0a3d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xe **2*#e ]Ɋ& E!X*#e2 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5897cd43-d8da-4525-ac4e-81ece9e0a3d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rs**@2*#e ]Ɋ& !*#e2 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5897cd43-d8da-4525-ac4e-81ece9e0a3d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8e9f3467-df42-44bc-bfb5-54522619f256 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nt@**P2*#e ]Ɋ& !*#e2 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5897cd43-d8da-4525-ac4e-81ece9e0a3d2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8e9f3467-df42-44bc-bfb5-54522619f256 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rofiP**2WTe ]Ɋ&  !WTe2 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=60d17034-2fdd-4ee9-bc92-4a4ff8ce33fb HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a1c591f4-a2bc-4dcb-bd3b-0eb337a36ffa PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ted**H2Df ]Ɋ& !XDf2 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d8f88bb2-1e7c-4037-ac03-587443497802 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`2Df ]Ɋ& !XDf2 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d8f88bb2-1e7c-4037-ac03-587443497802 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n`**`2Df ]Ɋ& !XDf2 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d8f88bb2-1e7c-4037-ac03-587443497802 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omm`**X2Df ]Ɋ& !XDf2 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d8f88bb2-1e7c-4037-ac03-587443497802 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=atiX**X2Df ]Ɋ& !XDf2 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d8f88bb2-1e7c-4037-ac03-587443497802 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**X2Df ]Ɋ& !XDf2 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d8f88bb2-1e7c-4037-ac03-587443497802 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=reX**2Df ]Ɋ& !Df2 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d8f88bb2-1e7c-4037-ac03-587443497802 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=303ec370-de1c-4403-847a-313a0e064ec2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ul**2Pf ]Ɋ&  !Pf2 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d8f88bb2-1e7c-4037-ac03-587443497802 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=303ec370-de1c-4403-847a-313a0e064ec2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } **2)ef ]Ɋ& K!X)ef2 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d4e505eb-dd1f-45e8-9098-f40f5535640c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e= **2)ef ]Ɋ& c!X)ef2 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d4e505eb-dd1f-45e8-9098-f40f5535640c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== G**2)ef ]Ɋ& _!X)ef2 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d4e505eb-dd1f-45e8-9098-f40f5535640c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=I**2)ef ]Ɋ& W!X)ef2 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d4e505eb-dd1f-45e8-9098-f40f5535640c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**2)ef ]Ɋ& W!X)ef2 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d4e505eb-dd1f-45e8-9098-f40f5535640c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=)**2)ef ]Ɋ& Y!X)ef2 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d4e505eb-dd1f-45e8-9098-f40f5535640c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=11 **X2[ef ]Ɋ& ![ef2 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d4e505eb-dd1f-45e8-9098-f40f5535640c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=4b1569b8-7a6a-4a6b-a52b-60ab85ef194b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= bX**`2[ef ]Ɋ& ![ef2 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d4e505eb-dd1f-45e8-9098-f40f5535640c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=4b1569b8-7a6a-4a6b-a52b-60ab85ef194b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nt`** 2[ef ]Ɋ& w !X[ef2 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3558f1c5-ecd5-4ced-b839-48bfbca61324 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **82[ef ]Ɋ&  !X[ef2 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3558f1c5-ecd5-4ced-b839-48bfbca61324 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P8**82[ef ]Ɋ&  !X[ef2 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3558f1c5-ecd5-4ced-b839-48bfbca61324 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=() 8**02[ef ]Ɋ&  !X[ef2 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3558f1c5-ecd5-4ced-b839-48bfbca61324 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pre0**02[ef ]Ɋ&  !X[ef2 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3558f1c5-ecd5-4ced-b839-48bfbca61324 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd 0**02[ef ]Ɋ&  !X[ef2 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3558f1c5-ecd5-4ced-b839-48bfbca61324 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=qu0**2[ef ]Ɋ&  ![ef2 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3558f1c5-ecd5-4ced-b839-48bfbca61324 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=e935ca1d-9d58-405c-bb1f-741a3359eef7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ncumber=7  ]Ɋ& =6Zff2 F&ce33fb HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mXndLine= ElfChnk2222 ң6Mu=VysMc&&**2Zff ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! q!Zff2 F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=3558f1c5-ecd5-4ced-b839-48bfbca61324 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=e935ca1d-9d58-405c-bb1f-741a3359eef7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t** 2Zff ]Ɋ&  !XZff2 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0108c240-cf9e-4015-8609-541518fb56fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a ** 2Zff ]Ɋ&  !XZff2 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0108c240-cf9e-4015-8609-541518fb56fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 2Zff ]Ɋ&  !XZff2 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0108c240-cf9e-4015-8609-541518fb56fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=aye ** 2Zff ]Ɋ&  !XZff2 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0108c240-cf9e-4015-8609-541518fb56fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ho ** 2Zff ]Ɋ&  !XZff2 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0108c240-cf9e-4015-8609-541518fb56fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 2Zff ]Ɋ&  !XZff2 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0108c240-cf9e-4015-8609-541518fb56fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eq ** 2Zff ]Ɋ& e !Zff2 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0108c240-cf9e-4015-8609-541518fb56fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=e53ad4d9-fb2c-46de-8bb0-1bba535ee9a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ol ** 2ff ]Ɋ& q !ff2 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0108c240-cf9e-4015-8609-541518fb56fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=e53ad4d9-fb2c-46de-8bb0-1bba535ee9a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me= **2ff ]Ɋ& 7!Xff2 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2441ae0c-b9e9-4492-bc28-6370fcfdc862 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**2ff ]Ɋ& O!Xff2 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2441ae0c-b9e9-4492-bc28-6370fcfdc862 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**2ff ]Ɋ& K!Xff2 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2441ae0c-b9e9-4492-bc28-6370fcfdc862 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**2ff ]Ɋ& C!Xff2 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2441ae0c-b9e9-4492-bc28-6370fcfdc862 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**2ff ]Ɋ& C!Xff2 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2441ae0c-b9e9-4492-bc28-6370fcfdc862 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**2ff ]Ɋ& E!Xff2 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2441ae0c-b9e9-4492-bc28-6370fcfdc862 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**@2ff ]Ɋ& !ff2 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2441ae0c-b9e9-4492-bc28-6370fcfdc862 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=004c7309-dbc0-4099-81a8-5ca1e9c775fd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=[@**P2ff ]Ɋ& !ff2 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2441ae0c-b9e9-4492-bc28-6370fcfdc862 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=004c7309-dbc0-4099-81a8-5ca1e9c775fd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P**H2df ]Ɋ& !Xdf2 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b7eabd2c-34a6-4abb-848a-2de864a4bb2d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lH**`2df ]Ɋ& !Xdf2 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b7eabd2c-34a6-4abb-848a-2de864a4bb2d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n`**`2df ]Ɋ& !Xdf2 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b7eabd2c-34a6-4abb-848a-2de864a4bb2d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= '0`**X2df ]Ɋ& !Xdf2 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b7eabd2c-34a6-4abb-848a-2de864a4bb2d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nfiX**X2df ]Ɋ& !Xdf2 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b7eabd2c-34a6-4abb-848a-2de864a4bb2d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=stVX**X2df ]Ɋ& !Xdf2 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b7eabd2c-34a6-4abb-848a-2de864a4bb2d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ouX**2df ]Ɋ& !df2 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b7eabd2c-34a6-4abb-848a-2de864a4bb2d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=c7b309f5-de64-40ab-82a4-c084299ca8d7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $**2df ]Ɋ&  !df2 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b7eabd2c-34a6-4abb-848a-2de864a4bb2d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=c7b309f5-de64-40ab-82a4-c084299ca8d7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tate**X2D g ]Ɋ&  !XD g2 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5c221a2b-56f4-42fa-a59c-c9fab140d94c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ncX**p2D g ]Ɋ&  !XD g2 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5c221a2b-56f4-42fa-a59c-c9fab140d94c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hop**p2D g ]Ɋ&  !XD g2 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5c221a2b-56f4-42fa-a59c-c9fab140d94c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Id=3p**h2D g ]Ɋ&  !XD g2 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5c221a2b-56f4-42fa-a59c-c9fab140d94c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=48bfh**h2D g ]Ɋ&  !XD g2 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5c221a2b-56f4-42fa-a59c-c9fab140d94c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s1 hngineVersion ]Ɋ& CoXD g2 F&mmandPath= CommandLine=mXndLine= ElfChnk2222icbI]Mu=VysMc&&**h2D g ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! K!XD g2 F&F%g>9{p(xlMD EventDatauoData !Binary VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5c221a2b-56f4-42fa-a59c-c9fab140d94c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**2D g ]Ɋ&  !D g2 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5c221a2b-56f4-42fa-a59c-c9fab140d94c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=dd1b5519-53ae-4d60-8964-bd646748b29c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Fam**2D g ]Ɋ& !D g2 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5c221a2b-56f4-42fa-a59c-c9fab140d94c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=dd1b5519-53ae-4d60-8964-bd646748b29c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X2؜g ]Ɋ&  !X؜g2 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=171db814-a237-40de-bd37-b85069cb3ede HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=teX**p2؜g ]Ɋ&  !X؜g2 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=171db814-a237-40de-bd37-b85069cb3ede HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ypp**p2؜g ]Ɋ&  !X؜g2 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=171db814-a237-40de-bd37-b85069cb3ede HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ($ap**h2؜g ]Ɋ&  !X؜g2 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=171db814-a237-40de-bd37-b85069cb3ede HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=owerh**h2؜g ]Ɋ&  !X؜g2 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=171db814-a237-40de-bd37-b85069cb3ede HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Outh**h2؜g ]Ɋ&  !X؜g2 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=171db814-a237-40de-bd37-b85069cb3ede HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=berh**2؜g ]Ɋ&  !؜g2 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=171db814-a237-40de-bd37-b85069cb3ede HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5be46ef2-170b-4962-9508-28fbcffd30f7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pi**2؜g ]Ɋ& !؜g2 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=171db814-a237-40de-bd37-b85069cb3ede HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5be46ef2-170b-4962-9508-28fbcffd30f7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r** 2o5g ]Ɋ& w !Xo5g2 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2accea18-addf-4e9d-bc73-1b515f1be9c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s **82o5g ]Ɋ&  !Xo5g2 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2accea18-addf-4e9d-bc73-1b515f1be9c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=|8**82o5g ]Ɋ&  !Xo5g2 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2accea18-addf-4e9d-bc73-1b515f1be9c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== $8**02o5g ]Ɋ&  !Xo5g2 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2accea18-addf-4e9d-bc73-1b515f1be9c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) {0**02o5g ]Ɋ&  !Xo5g2 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2accea18-addf-4e9d-bc73-1b515f1be9c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($e0**02o5g ]Ɋ&  !Xo5g2 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2accea18-addf-4e9d-bc73-1b515f1be9c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$e0Ext  ]Ɋ&  o5g2 F&ed.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s1 hngineVersion ]Ɋ& CoXD g2 F&mmandPath= CommandLine=mXndLine= ElfChnk2222@x &O|Mu=VysMc&&**2o5g ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! e!o5g2 F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2accea18-addf-4e9d-bc73-1b515f1be9c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=85cbc5e6-9ad2-486e-94de-e6c5d39bdbb2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**2g ]Ɋ&  !g2 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=2accea18-addf-4e9d-bc73-1b515f1be9c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=85cbc5e6-9ad2-486e-94de-e6c5d39bdbb2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==**2g ]Ɋ&  !Xg2 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ae306661-cc2f-4b90-b0ef-4d2eb346c7b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ath=**2g ]Ɋ&  !Xg2 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ae306661-cc2f-4b90-b0ef-4d2eb346c7b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**2g ]Ɋ& !Xg2 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ae306661-cc2f-4b90-b0ef-4d2eb346c7b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**2g ]Ɋ&  !Xg2 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ae306661-cc2f-4b90-b0ef-4d2eb346c7b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FӨ**2g ]Ɋ&  !Xg2 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ae306661-cc2f-4b90-b0ef-4d2eb346c7b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ov**2g ]Ɋ&  !Xg2 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ae306661-cc2f-4b90-b0ef-4d2eb346c7b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**2g ]Ɋ& O!g2 F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ae306661-cc2f-4b90-b0ef-4d2eb346c7b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=434769e7-7494-4e7c-b752-7be6e91f6fdf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**2fg ]Ɋ& [!fg2 F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ae306661-cc2f-4b90-b0ef-4d2eb346c7b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=434769e7-7494-4e7c-b752-7be6e91f6fdf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0de**2#g ]Ɋ& K!X#g2 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b1a4e89c-cf5d-4bcf-b348-06ba456a3126 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d K**2#g ]Ɋ& c!X#g2 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b1a4e89c-cf5d-4bcf-b348-06ba456a3126 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eli**2#g ]Ɋ& _!X#g2 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b1a4e89c-cf5d-4bcf-b348-06ba456a3126 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$**2#g ]Ɋ& W!X#g2 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b1a4e89c-cf5d-4bcf-b348-06ba456a3126 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2**2#g ]Ɋ& W!X#g2 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b1a4e89c-cf5d-4bcf-b348-06ba456a3126 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**2#g ]Ɋ& Y!X#g2 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b1a4e89c-cf5d-4bcf-b348-06ba456a3126 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Comm**X2g ]Ɋ& !g2 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b1a4e89c-cf5d-4bcf-b348-06ba456a3126 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=3c190bc4-cbe5-44e7-b749-eb0654464e73 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uencX**`2g ]Ɋ& !g2 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b1a4e89c-cf5d-4bcf-b348-06ba456a3126 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=3c190bc4-cbe5-44e7-b749-eb0654464e73 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** 2g ]Ɋ& w !Xg2 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e80ba715-77f6-4aca-b9dc-e63916af3986 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s **82g ]Ɋ&  !Xg2 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e80ba715-77f6-4aca-b9dc-e63916af3986 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**82g ]Ɋ&  !Xg2 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e80ba715-77f6-4aca-b9dc-e63916af3986 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8 break  ]Ɋ& hiXg2 F&} } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$e0Ext  ]Ɋ&  o5g2 F&ed.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s1 hngineVersion ]Ɋ& CoXD g2 F&mmandPath= CommandLine=mXndLine= ElfChnk2323XhvkMu=VysMc&&**02g ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !Xg2 F&F%g>9{p(xlMD EventDatauoData !Binary` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e80ba715-77f6-4aca-b9dc-e63916af3986 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**02g ]Ɋ&  !Xg2 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e80ba715-77f6-4aca-b9dc-e63916af3986 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P0**02g ]Ɋ&  !Xg2 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e80ba715-77f6-4aca-b9dc-e63916af3986 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bo0**2g ]Ɋ&  !g2 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e80ba715-77f6-4aca-b9dc-e63916af3986 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=eed2b12f-3e6a-48be-a295-4bdcd3db38ac PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pu**2P+g ]Ɋ&  !P+g2 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=e80ba715-77f6-4aca-b9dc-e63916af3986 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=eed2b12f-3e6a-48be-a295-4bdcd3db38ac PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=over** 2P+g ]Ɋ&  !XP+g2 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f83eb0a3-c20e-405d-8d70-89a3292da870 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o ** 2P+g ]Ɋ&  !XP+g2 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f83eb0a3-c20e-405d-8d70-89a3292da870 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s ** 2P+g ]Ɋ&  !XP+g2 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f83eb0a3-c20e-405d-8d70-89a3292da870 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=vid ** 2P+g ]Ɋ&  !XP+g2 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f83eb0a3-c20e-405d-8d70-89a3292da870 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Err ** 2P+g ]Ɋ&  !XP+g2 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f83eb0a3-c20e-405d-8d70-89a3292da870 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y { ** 2P+g ]Ɋ&  !XP+g2 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f83eb0a3-c20e-405d-8d70-89a3292da870 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=st ** 2P+g ]Ɋ& e !P+g2 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f83eb0a3-c20e-405d-8d70-89a3292da870 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=57192e86-eaec-4d4f-9f8b-367fdb189a20 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me ** 2P+g ]Ɋ& q !P+g2 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f83eb0a3-c20e-405d-8d70-89a3292da870 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=57192e86-eaec-4d4f-9f8b-367fdb189a20 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e-Ob **2g ]Ɋ& 7!Xg2 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fc36ba33-9935-40e1-8fd1-16a086374f12 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3**2g ]Ɋ& O!Xg2 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fc36ba33-9935-40e1-8fd1-16a086374f12 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-**2g ]Ɋ& K!Xg2 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fc36ba33-9935-40e1-8fd1-16a086374f12 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bje**2g ]Ɋ& C!Xg2 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fc36ba33-9935-40e1-8fd1-16a086374f12 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Get**2g ]Ɋ& C!Xg2 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fc36ba33-9935-40e1-8fd1-16a086374f12 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Com**2g ]Ɋ& E!Xg2 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fc36ba33-9935-40e1-8fd1-16a086374f12 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ic**@2g ]Ɋ& !g2 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fc36ba33-9935-40e1-8fd1-16a086374f12 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=acfa9619-7876-4283-8cd5-e29fc31bfea6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti@**P2g ]Ɋ& !g2 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=fc36ba33-9935-40e1-8fd1-16a086374f12 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=acfa9619-7876-4283-8cd5-e29fc31bfea6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -ExP**8 2}\g ]Ɋ&  !X}\g2 F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=77247b6e-743b-42ce-81bd-998bd9bef2d0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=st8 **P 2}\g ]Ɋ&  !X}\g2 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=77247b6e-743b-42ce-81bd-998bd9bef2d0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FiP **P 3}\g ]Ɋ&  !X}\g3 F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=77247b6e-743b-42ce-81bd-998bd9bef2d0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ComP ndLine=  ]Ɋ& X}\g3 F&2 F&} } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$e0Ext  ]Ɋ&  o5g2 F&ed.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s1 hngineVersion ]Ɋ& CoXD g2 F&mmandPath= CommandLine=mXndLine= ElfChnk33330ɆF7Mu=VysMc&&**H3}\g ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! ) !X}\g3 F&F%g>9{p(xlMD EventDatauoData !Binaryv FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=77247b6e-743b-42ce-81bd-998bd9bef2d0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iH**H 3}\g ]Ɋ&  !X}\g3 F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=77247b6e-743b-42ce-81bd-998bd9bef2d0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct -H **H 3}\g ]Ɋ&  !X}\g3 F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=77247b6e-743b-42ce-81bd-998bd9bef2d0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=etwH ** 3}\g ]Ɋ&  !}\g3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=77247b6e-743b-42ce-81bd-998bd9bef2d0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=4bba7adb-8419-4436-8d31-bc6b1e5455b7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sel ** 3}\g ]Ɋ&  !}\g3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=77247b6e-743b-42ce-81bd-998bd9bef2d0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=4bba7adb-8419-4436-8d31-bc6b1e5455b7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a ** 3}\g ]Ɋ& w !X}\g3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=444ad080-35f9-46ce-a173-64d3210ca459 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C **83}\g ]Ɋ&  !X}\g3 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=444ad080-35f9-46ce-a173-64d3210ca459 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C8**83}\g ]Ɋ&  !X}\g3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=444ad080-35f9-46ce-a173-64d3210ca459 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }8**0 3}\g ]Ɋ&  !X}\g 3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=444ad080-35f9-46ce-a173-64d3210ca459 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 'U0**0 3}\g ]Ɋ&  !X}\g 3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=444ad080-35f9-46ce-a173-64d3210ca459 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0 3}\g ]Ɋ&  !X}\g 3 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=444ad080-35f9-46ce-a173-64d3210ca459 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=330** 3}\g ]Ɋ&  !}\g 3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=444ad080-35f9-46ce-a173-64d3210ca459 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d373ed91-9c66-49a1-ac5d-f6880ef0c4f0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ch** 3g ]Ɋ&  !g 3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=444ad080-35f9-46ce-a173-64d3210ca459 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d373ed91-9c66-49a1-ac5d-f6880ef0c4f0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==Sta**3g ]Ɋ& K!Xg3 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=18e28e4f-a4eb-4e59-8136-6b8aed7e5c46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Non**3g ]Ɋ& c!Xg3 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=18e28e4f-a4eb-4e59-8136-6b8aed7e5c46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ed **3g ]Ɋ& _!Xg3 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=18e28e4f-a4eb-4e59-8136-6b8aed7e5c46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**3g ]Ɋ& W!Xg3 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=18e28e4f-a4eb-4e59-8136-6b8aed7e5c46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r**3g ]Ɋ& W!Xg3 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=18e28e4f-a4eb-4e59-8136-6b8aed7e5c46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**3g ]Ɋ& Y!Xg3 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=18e28e4f-a4eb-4e59-8136-6b8aed7e5c46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Ses**X3g ]Ɋ& !g3 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=18e28e4f-a4eb-4e59-8136-6b8aed7e5c46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=98a18edd-82bc-468d-a689-c7371bea019b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=++ X**`3g ]Ɋ& !g3 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=18e28e4f-a4eb-4e59-8136-6b8aed7e5c46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=98a18edd-82bc-468d-a689-c7371bea019b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$p`** 3g ]Ɋ& w !Xg3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4b68f185-34a1-4bf3-bfff-2b34750bd775 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ipelineId=  ]Ɋ& mmXg3 F&Ext  ]Ɋ&  o5g2 F&ed.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s1 hngineVersion ]Ɋ& CoXD g2 F&mmandPath= CommandLine=mXndLine= ElfChnk3)33)3Hh]wn |Mu=VysMc&&**@3g ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !Xg3 F&F%g>9{p(xlMD EventDatauoData !Binaryl EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4b68f185-34a1-4bf3-bfff-2b34750bd775 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er@**83g ]Ɋ&  !Xg3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4b68f185-34a1-4bf3-bfff-2b34750bd775 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2478**03g ]Ɋ&  !Xg3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4b68f185-34a1-4bf3-bfff-2b34750bd775 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ass0**03g ]Ɋ&  !Xg3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4b68f185-34a1-4bf3-bfff-2b34750bd775 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Add0**03g ]Ɋ&  !Xg3 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4b68f185-34a1-4bf3-bfff-2b34750bd775 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-D0**3g ]Ɋ&  !g3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4b68f185-34a1-4bf3-bfff-2b34750bd775 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c849c955-00b5-4d14-a7be-10316c98f3f5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-**3g ]Ɋ&  !g3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=4b68f185-34a1-4bf3-bfff-2b34750bd775 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c849c955-00b5-4d14-a7be-10316c98f3f5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($ro** 3g ]Ɋ&  !Xg3 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5763c883-9ca6-4e64-8e77-c1d1c8b60a3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 3g ]Ɋ&  !Xg3 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5763c883-9ca6-4e64-8e77-c1d1c8b60a3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a ** 3g ]Ɋ&  !Xg 3 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5763c883-9ca6-4e64-8e77-c1d1c8b60a3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** !3g ]Ɋ&  !Xg!3 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5763c883-9ca6-4e64-8e77-c1d1c8b60a3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** "3g ]Ɋ&  !Xg"3 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5763c883-9ca6-4e64-8e77-c1d1c8b60a3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= | ** #3g ]Ɋ&  !Xg#3 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5763c883-9ca6-4e64-8e77-c1d1c8b60a3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti ** $3g ]Ɋ& e !g$3 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5763c883-9ca6-4e64-8e77-c1d1c8b60a3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=522bbb26-839f-4fab-876c-885420372345 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d0 **X%3@&g ]Ɋ&  !X@&g%3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b8a1fbd5-4621-4323-ae7b-5845f1db8aad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p&3@&g ]Ɋ&  !X@&g&3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b8a1fbd5-4621-4323-ae7b-5845f1db8aad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cep**p'3@&g ]Ɋ&  !X@&g'3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b8a1fbd5-4621-4323-ae7b-5845f1db8aad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h(3@&g ]Ɋ&  !X@&g(3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b8a1fbd5-4621-4323-ae7b-5845f1db8aad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NonIh**h)3@&g ]Ɋ&  !X@&g)3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b8a1fbd5-4621-4323-ae7b-5845f1db8aad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y -ah $_.MACAddre ]Ɋ&  X@&g*3 F&in32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ipelineId=  ]Ɋ& mmXg3 F&Ext  ]Ɋ&  o5g2 F&ed.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s1 hngineVersion ]Ɋ& CoXD g2 F&mmandPath= CommandLine=mXndLine= ElfChnk*3C3*3C3hx<*X yMu=VysMc&&**h*3@&g ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! K!X@&g*3 F&F%g>9{p(xlMD EventDatauoData !Binary VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b8a1fbd5-4621-4323-ae7b-5845f1db8aad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**+3@&g ]Ɋ&  !@&g+3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b8a1fbd5-4621-4323-ae7b-5845f1db8aad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d821a3be-306b-4337-8674-e56d965f682e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**,3@&g ]Ɋ& !@&g,3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b8a1fbd5-4621-4323-ae7b-5845f1db8aad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d821a3be-306b-4337-8674-e56d965f682e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**X-3@&g ]Ɋ&  !X@&g-3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9635b701-1fac-4b65-ad62-63a86aabbde0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ncX**p.3@&g ]Ɋ&  !X@&g.3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9635b701-1fac-4b65-ad62-63a86aabbde0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lep**p/3@&g ]Ɋ&  !X@&g/3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9635b701-1fac-4b65-ad62-63a86aabbde0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Hop**h03@&g ]Ɋ&  !X@&g03 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9635b701-1fac-4b65-ad62-63a86aabbde0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r=1 h**h13@&g ]Ɋ&  !X@&g13 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9635b701-1fac-4b65-ad62-63a86aabbde0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=puteh**h23@&g ]Ɋ&  !X@&g23 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9635b701-1fac-4b65-ad62-63a86aabbde0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=derh** 33@&g ]Ɋ& q !@&g33 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5763c883-9ca6-4e64-8e77-c1d1c8b60a3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=522bbb26-839f-4fab-876c-885420372345 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Seq **43@&g ]Ɋ&  !@&g43 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9635b701-1fac-4b65-ad62-63a86aabbde0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=491a59cc-f94e-4d4a-bb02-05371eae4d83 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Cs**53@&g ]Ɋ& !@&g53 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9635b701-1fac-4b65-ad62-63a86aabbde0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=491a59cc-f94e-4d4a-bb02-05371eae4d83 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **63@&g ]Ɋ& 7!X@&g63 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=226bf0a7-094e-4e68-a4a3-b497bcb1918f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**73@&g ]Ɋ& O!X@&g73 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=226bf0a7-094e-4e68-a4a3-b497bcb1918f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$**83@&g ]Ɋ& K!X@&g83 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=226bf0a7-094e-4e68-a4a3-b497bcb1918f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th **93@&g ]Ɋ& C!X@&g93 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=226bf0a7-094e-4e68-a4a3-b497bcb1918f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f (**:3@&g ]Ɋ& C!X@&g:3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=226bf0a7-094e-4e68-a4a3-b497bcb1918f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=b8a**;3@&g ]Ɋ& E!X@&g;3 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=226bf0a7-094e-4e68-a4a3-b497bcb1918f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xt**@<3@&g ]Ɋ& !@&g<3 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=226bf0a7-094e-4e68-a4a3-b497bcb1918f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=6af9807a-6698-4cb0-9fc8-cc3a0e1f17e6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dL@**P=3׾g ]Ɋ& !׾g=3 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=226bf0a7-094e-4e68-a4a3-b497bcb1918f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=6af9807a-6698-4cb0-9fc8-cc3a0e1f17e6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e.SuP**>3NM#g ]Ɋ& U!XNM#g>3 F&2AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e7a2a563-62a0-418c-961d-674b41dc5b96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dK**?3NM#g ]Ɋ& m!XNM#g?3 F&JEnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e7a2a563-62a0-418c-961d-674b41dc5b96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fb**@3NM#g ]Ɋ& i!XNM#g@3 F&FFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e7a2a563-62a0-418c-961d-674b41dc5b96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if (**A3NM#g ]Ɋ& a!XNM#gA3 F&>FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e7a2a563-62a0-418c-961d-674b41dc5b96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and **B3NM#g ]Ɋ& a!XNM#gB3 F&>RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e7a2a563-62a0-418c-961d-674b41dc5b96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Runs**C3NM#g ]Ɋ& c!XNM#gC3 F&@VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e7a2a563-62a0-418c-961d-674b41dc5b96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndTe= ScriptN ]Ɋ& neNM#gD3 F& CoXD g2 F&mmandPath= CommandLine=mXndLine= ElfChnkD3a3D3a3x8u,ݭMu=VysMc&&**` D3NM#g ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! C!NM#gD3 F&F%g>9{p(xlMD EventDatauoData !BinaryAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e7a2a563-62a0-418c-961d-674b41dc5b96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=06e05894-15a5-4575-9655-bf3bef69a19a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=` **hE3NM#g ]Ɋ& !NM#gE3 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e7a2a563-62a0-418c-961d-674b41dc5b96 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=06e05894-15a5-4575-9655-bf3bef69a19a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**HF3šg ]Ɋ& !XšgF3 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=082f5b5f-5452-4a89-83d7-8a05d05d4470 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H**`G3šg ]Ɋ& !XšgG3 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=082f5b5f-5452-4a89-83d7-8a05d05d4470 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`H3šg ]Ɋ& !XšgH3 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=082f5b5f-5452-4a89-83d7-8a05d05d4470 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uEx`**XI3šg ]Ɋ& !XšgI3 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=082f5b5f-5452-4a89-83d7-8a05d05d4470 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a3bX**XJ3šg ]Ɋ& !XšgJ3 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=082f5b5f-5452-4a89-83d7-8a05d05d4470 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nv:X**XK3šg ]Ɋ& !XšgK3 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=082f5b5f-5452-4a89-83d7-8a05d05d4470 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=CeX**L3šg ]Ɋ& !šgL3 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=082f5b5f-5452-4a89-83d7-8a05d05d4470 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a71bad38-e365-4deb-875b-47d8c273c46a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **M3,g ]Ɋ& K!X,gM3 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4807642b-25ad-49e0-8685-b7d6174afbf2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h) **N3,g ]Ɋ& c!X,gN3 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4807642b-25ad-49e0-8685-b7d6174afbf2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $**O3,g ]Ɋ& _!X,gO3 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4807642b-25ad-49e0-8685-b7d6174afbf2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **P3,g ]Ɋ& W!X,gP3 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4807642b-25ad-49e0-8685-b7d6174afbf2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**Q3,g ]Ɋ& W!X,gQ3 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4807642b-25ad-49e0-8685-b7d6174afbf2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=)**R3,g ]Ɋ& Y!X,gR3 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4807642b-25ad-49e0-8685-b7d6174afbf2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($si**XS3,g ]Ɋ& !,gS3 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4807642b-25ad-49e0-8685-b7d6174afbf2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=9d0296f3-168f-4e7b-8c25-009073d110c6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eyUsX**`T3,g ]Ɋ& !,gT3 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4807642b-25ad-49e0-8685-b7d6174afbf2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=9d0296f3-168f-4e7b-8c25-009073d110c6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $`** U3,g ]Ɋ& w !X,gU3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7c46e7c0-b6bd-4298-8e65-7b01b391c473 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=A **8V3,g ]Ɋ&  !X,gV3 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7c46e7c0-b6bd-4298-8e65-7b01b391c473 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y8**8W3,g ]Ɋ&  !X,gW3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7c46e7c0-b6bd-4298-8e65-7b01b391c473 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -8**0X3,g ]Ɋ&  !X,gX3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7c46e7c0-b6bd-4298-8e65-7b01b391c473 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$($0**0Y3,g ]Ɋ&  !X,gY3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7c46e7c0-b6bd-4298-8e65-7b01b391c473 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$($0**0Z3,g ]Ɋ&  !X,gZ3 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7c46e7c0-b6bd-4298-8e65-7b01b391c473 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sc0**[3,g ]Ɋ&  !,g[3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7c46e7c0-b6bd-4298-8e65-7b01b391c473 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=acb56fde-11ae-42ab-8c25-5a3337b24449 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pp**\3,g ]Ɋ&  !,g\3 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=082f5b5f-5452-4a89-83d7-8a05d05d4470 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a71bad38-e365-4deb-875b-47d8c273c46a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Name**]3qg ]Ɋ&  !qg]3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=7c46e7c0-b6bd-4298-8e65-7b01b391c473 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=acb56fde-11ae-42ab-8c25-5a3337b24449 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ''** ^3qg ]Ɋ&  !Xqg^3 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b1d7df81-0238-405f-97ea-ca3a60eb8120 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** _3qg ]Ɋ&  !Xqg_3 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b1d7df81-0238-405f-97ea-ca3a60eb8120 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** `3qg ]Ɋ&  !Xqg`3 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b1d7df81-0238-405f-97ea-ca3a60eb8120 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** a3qg ]Ɋ&  !Xqga3 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b1d7df81-0238-405f-97ea-ca3a60eb8120 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Co andPath= C ]Ɋ& Xqgb3 F&neNM#gD3 F& CoXD g2 F&mmandPath= CommandLine=mXndLine= ElfChnkb33b33(X0hu4~Mu=VysMc&&** b3qg ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !Xqgb3 F&F%g>9{p(xlMD EventDatauoData !BinaryRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b1d7df81-0238-405f-97ea-ca3a60eb8120 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** c3qg ]Ɋ&  !Xqgc3 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b1d7df81-0238-405f-97ea-ca3a60eb8120 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3 ** d3qg ]Ɋ& e !qgd3 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b1d7df81-0238-405f-97ea-ca3a60eb8120 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=80114fab-74ef-4dc0-ad75-7a90714f2b8f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=um ** e3^g ]Ɋ& q !^ge3 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b1d7df81-0238-405f-97ea-ca3a60eb8120 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=80114fab-74ef-4dc0-ad75-7a90714f2b8f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -Wi **f3^g ]Ɋ& 7!X^gf3 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b7eec32f-0a32-4464-b727-e27d670d23cb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**g3^g ]Ɋ& O!X^gg3 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b7eec32f-0a32-4464-b727-e27d670d23cb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**h3^g ]Ɋ& K!X^gh3 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b7eec32f-0a32-4464-b727-e27d670d23cb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bje**i3^g ]Ɋ& C!X^gi3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b7eec32f-0a32-4464-b727-e27d670d23cb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SCu**j3^g ]Ɋ& C!X^gj3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b7eec32f-0a32-4464-b727-e27d670d23cb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct **k3^g ]Ɋ& E!X^gk3 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b7eec32f-0a32-4464-b727-e27d670d23cb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ac**@l3^g ]Ɋ& !^gl3 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b7eec32f-0a32-4464-b727-e27d670d23cb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=57d70efa-06f0-4e9e-9bce-27ce5f25f54f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct@**Pm3g ]Ɋ& !gm3 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b7eec32f-0a32-4464-b727-e27d670d23cb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=57d70efa-06f0-4e9e-9bce-27ce5f25f54f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PSCuP**Hn3 k]h ]Ɋ& !X k]hn3 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5af178cc-433e-4dc2-a5c4-fcd1279321b4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=6H**`o3 k]h ]Ɋ& !X k]ho3 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5af178cc-433e-4dc2-a5c4-fcd1279321b4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i`**`p3 k]h ]Ɋ& !X k]hp3 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5af178cc-433e-4dc2-a5c4-fcd1279321b4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ewa`**Xq3 k]h ]Ɋ& !X k]hq3 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5af178cc-433e-4dc2-a5c4-fcd1279321b4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iroX**Xr3 k]h ]Ɋ& !X k]hr3 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5af178cc-433e-4dc2-a5c4-fcd1279321b4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ntlX**Xs3 k]h ]Ɋ& !X k]hs3 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5af178cc-433e-4dc2-a5c4-fcd1279321b4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=AcX**t3 k]h ]Ɋ& ! k]ht3 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5af178cc-433e-4dc2-a5c4-fcd1279321b4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=93d67143-c265-46aa-ba84-38b2ab2f2eb7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Li**u39h ]Ɋ& K!X9hu3 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3059dd10-eb0b-4f33-91af-7dd4e6252b37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pte**v39h ]Ɋ& c!X9hv3 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3059dd10-eb0b-4f33-91af-7dd4e6252b37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_**w39h ]Ɋ& _!X9hw3 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3059dd10-eb0b-4f33-91af-7dd4e6252b37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={**x39h ]Ɋ& W!X9hx3 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3059dd10-eb0b-4f33-91af-7dd4e6252b37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-**y39h ]Ɋ& W!X9hy3 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3059dd10-eb0b-4f33-91af-7dd4e6252b37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**z39h ]Ɋ& Y!X9hz3 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3059dd10-eb0b-4f33-91af-7dd4e6252b37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er.M**X{39h ]Ɋ& !9h{3 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3059dd10-eb0b-4f33-91af-7dd4e6252b37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=e313b83a-3f86-451f-ab8a-5bb2e335a3df PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mmanX**`|39h ]Ɋ& !9h|3 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=3059dd10-eb0b-4f33-91af-7dd4e6252b37 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=e313b83a-3f86-451f-ab8a-5bb2e335a3df PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eI`** }39h ]Ɋ& w !X9h}3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=152c14e3-04d9-4485-9c15-aeef318d94dc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=I **8~39h ]Ɋ&  !X9h~3 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=152c14e3-04d9-4485-9c15-aeef318d94dc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**839h ]Ɋ&  !X9h3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=152c14e3-04d9-4485-9c15-aeef318d94dc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**039h ]Ɋ&  !X9h3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=152c14e3-04d9-4485-9c15-aeef318d94dc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ 0**039h ]Ɋ&  !X9h3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=152c14e3-04d9-4485-9c15-aeef318d94dc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Com0ndLine= ]Ɋ& X9h3 F&a3 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b1d7df81-0238-405f-97ea-ca3a60eb8120 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Co andPath= C ]Ɋ& Xqgb3 F&neNM#gD3 F& CoXD g2 F&mmandPath= CommandLine=mXndLine= ElfChnk3333`?8ttMu=VysMc&&**839h ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X9h3 F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=152c14e3-04d9-4485-9c15-aeef318d94dc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Int8**39h ]Ɋ&  !9h3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=152c14e3-04d9-4485-9c15-aeef318d94dc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b45e8454-2bc2-42a7-b2cf-9dffe8957b5e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d7**3ϕh ]Ɋ&  !ϕh3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=152c14e3-04d9-4485-9c15-aeef318d94dc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b45e8454-2bc2-42a7-b2cf-9dffe8957b5e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s -n** 3ϕh ]Ɋ&  !Xϕh3 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=54f312e0-238b-44c2-a016-7b3de0449ca7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m ** 3ϕh ]Ɋ&  !Xϕh3 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=54f312e0-238b-44c2-a016-7b3de0449ca7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** 3ϕh ]Ɋ&  !Xϕh3 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=54f312e0-238b-44c2-a016-7b3de0449ca7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ere ** 3ϕh ]Ɋ&  !Xϕh3 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=54f312e0-238b-44c2-a016-7b3de0449ca7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 3ϕh ]Ɋ&  !Xϕh3 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=54f312e0-238b-44c2-a016-7b3de0449ca7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C ** 3ϕh ]Ɋ&  !Xϕh3 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=54f312e0-238b-44c2-a016-7b3de0449ca7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rt ** 3ϕh ]Ɋ& e !ϕh3 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=54f312e0-238b-44c2-a016-7b3de0449ca7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=8925ac7c-304a-487d-9e0e-1f8664c598be PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ic **3f.h ]Ɋ&  !f.h3 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5af178cc-433e-4dc2-a5c4-fcd1279321b4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=93d67143-c265-46aa-ba84-38b2ab2f2eb7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=file** 3f.h ]Ɋ& q !f.h3 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=54f312e0-238b-44c2-a016-7b3de0449ca7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=8925ac7c-304a-487d-9e0e-1f8664c598be PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=7dd4 **3f.h ]Ɋ& 7!Xf.h3 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=92e9c65a-275c-424c-ae21-e39141654930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**3f.h ]Ɋ& O!Xf.h3 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=92e9c65a-275c-424c-ae21-e39141654930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**3f.h ]Ɋ& K!Xf.h3 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=92e9c65a-275c-424c-ae21-e39141654930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=stI**3f.h ]Ɋ& C!Xf.h3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=92e9c65a-275c-424c-ae21-e39141654930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==4.**3f.h ]Ɋ& C!Xf.h3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=92e9c65a-275c-424c-ae21-e39141654930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**3f.h ]Ɋ& E!Xf.h3 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=92e9c65a-275c-424c-ae21-e39141654930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Av**@3f.h ]Ɋ& !f.h3 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=92e9c65a-275c-424c-ae21-e39141654930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=e10fac3e-16c9-4328-af52-1130f04b38be PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ta@**P3Ɓh ]Ɋ& !Ɓh3 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=92e9c65a-275c-424c-ae21-e39141654930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=e10fac3e-16c9-4328-af52-1130f04b38be PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $maP**H3~;i ]Ɋ& !X~;i3 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=edf4e36b-c1cf-4557-b0db-0cbebea4f38b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_H**`3~;i ]Ɋ& !X~;i3 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=edf4e36b-c1cf-4557-b0db-0cbebea4f38b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d`**`3~;i ]Ɋ& !X~;i3 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=edf4e36b-c1cf-4557-b0db-0cbebea4f38b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=len`**X3~;i ]Ɋ& !X~;i3 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=edf4e36b-c1cf-4557-b0db-0cbebea4f38b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -aX**X3~;i ]Ɋ& !X~;i3 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=edf4e36b-c1cf-4557-b0db-0cbebea4f38b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=temX**X3~;i ]Ɋ& !X~;i3 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=edf4e36b-c1cf-4557-b0db-0cbebea4f38b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tiX**3~;i ]Ɋ& !~;i3 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=edf4e36b-c1cf-4557-b0db-0cbebea4f38b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=3b9d58dc-5c53-4747-ad77-4d92eda882a8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mI**X3"i ]Ɋ&  !X"i3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=80e0c39a-b8fa-4ab3-91d3-871d8b1a7276 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= WX**p3"i ]Ɋ&  !X"i3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=80e0c39a-b8fa-4ab3-91d3-871d8b1a7276 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onp**p3"i ]Ɋ&  !X"i3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=80e0c39a-b8fa-4ab3-91d3-871d8b1a7276 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gpb3 F& ]Ɋ& X"i3 F& F&mmandPath= CommandLine=mXndLine= ElfChnk3333(X@>mMu=VysMc&&**h3"i ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!X"i3 F&F%g>9{p(xlMD EventDatauoData !Binary FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=80e0c39a-b8fa-4ab3-91d3-871d8b1a7276 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h3"i ]Ɋ&  !X"i3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=80e0c39a-b8fa-4ab3-91d3-871d8b1a7276 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ϕh**h3"i ]Ɋ&  !X"i3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=80e0c39a-b8fa-4ab3-91d3-871d8b1a7276 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ne=h**3"i ]Ɋ&  !"i3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=80e0c39a-b8fa-4ab3-91d3-871d8b1a7276 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=e6211813-6ede-41ae-9f99-ec3d2deed05d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **3"i ]Ɋ& !"i3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=80e0c39a-b8fa-4ab3-91d3-871d8b1a7276 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=e6211813-6ede-41ae-9f99-ec3d2deed05d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X3 +i ]Ɋ&  !X +i3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0b08d026-dfce-4a62-a1db-ac09651496d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -X**p3 +i ]Ɋ&  !X +i3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0b08d026-dfce-4a62-a1db-ac09651496d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tNp**p3 +i ]Ɋ&  !X +i3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0b08d026-dfce-4a62-a1db-ac09651496d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ineIp**h3 +i ]Ɋ&  !X +i3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0b08d026-dfce-4a62-a1db-ac09651496d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ''h**h3 +i ]Ɋ&  !X +i3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0b08d026-dfce-4a62-a1db-ac09651496d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h3 +i ]Ɋ&  !X +i3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0b08d026-dfce-4a62-a1db-ac09651496d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=icyh**3 +i ]Ɋ&  ! +i3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0b08d026-dfce-4a62-a1db-ac09651496d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=640e0cb2-891f-4dbc-b3cf-2be2174ff6e9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Id=**3 +i ]Ɋ& ! +i3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0b08d026-dfce-4a62-a1db-ac09651496d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=640e0cb2-891f-4dbc-b3cf-2be2174ff6e9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** 3+i ]Ɋ& w !X+i3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=faad2164-ee8f-4673-a375-ca85359942d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4 **83+i ]Ɋ&  !X+i3 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=faad2164-ee8f-4673-a375-ca85359942d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=j8**83+i ]Ɋ&  !X+i3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=faad2164-ee8f-4673-a375-ca85359942d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Enh8**03+i ]Ɋ&  !X+i3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=faad2164-ee8f-4673-a375-ca85359942d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0 $ekus ]Ɋ&  {X+i3 F& } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gpb3 F& ]Ɋ& X"i3 F& F&mmandPath= CommandLine=mXndLine= ElfChnk3333ΊVfdMu=VysMc&&**03+i ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X+i3 F&F%g>9{p(xlMD EventDatauoData !Binary` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=faad2164-ee8f-4673-a375-ca85359942d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**03+i ]Ɋ&  !X+i3 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=faad2164-ee8f-4673-a375-ca85359942d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dT0**3+i ]Ɋ&  !+i3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=faad2164-ee8f-4673-a375-ca85359942d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=79329977-a9fa-4564-bd3c-55049c0287aa PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ri**3?,i ]Ɋ&  !?,i3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=faad2164-ee8f-4673-a375-ca85359942d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=79329977-a9fa-4564-bd3c-55049c0287aa PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e= **3?,i ]Ɋ&  !X?,i3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4f41cd47-fa7f-46f0-8f83-61e3a8bfd78c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=neId**3?,i ]Ɋ&  !X?,i3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4f41cd47-fa7f-46f0-8f83-61e3a8bfd78c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C**3?,i ]Ɋ& !X?,i3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4f41cd47-fa7f-46f0-8f83-61e3a8bfd78c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tN**3?,i ]Ɋ&  !X?,i3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4f41cd47-fa7f-46f0-8f83-61e3a8bfd78c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**3?,i ]Ɋ&  !X?,i3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4f41cd47-fa7f-46f0-8f83-61e3a8bfd78c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**3?,i ]Ɋ&  !X?,i3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4f41cd47-fa7f-46f0-8f83-61e3a8bfd78c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**3?,i ]Ɋ& O!?,i3 F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4f41cd47-fa7f-46f0-8f83-61e3a8bfd78c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=95617fb6-3c6a-4fd9-ba5a-692d65baea6f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**3,i ]Ɋ& [!,i3 F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4f41cd47-fa7f-46f0-8f83-61e3a8bfd78c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=95617fb6-3c6a-4fd9-ba5a-692d65baea6f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tNa**`3Z4i ]Ɋ& !XZ4i3 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=269e8bec-00b4-49dd-b502-7115b66556a8 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-c5wxsnpp.dlv.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= "S`**x3Z4i ]Ɋ& !XZ4i3 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=269e8bec-00b4-49dd-b502-7115b66556a8 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-c5wxsnpp.dlv.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=siox**p3Z4i ]Ɋ& !XZ4i3 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=269e8bec-00b4-49dd-b502-7115b66556a8 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-c5wxsnpp.dlv.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h3Z4i ]Ɋ& !XZ4i3 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=269e8bec-00b4-49dd-b502-7115b66556a8 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-c5wxsnpp.dlv.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**h3Z4i ]Ɋ& !XZ4i3 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=269e8bec-00b4-49dd-b502-7115b66556a8 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-c5wxsnpp.dlv.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**p3Z4i ]Ɋ& !XZ4i3 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=269e8bec-00b4-49dd-b502-7115b66556a8 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-c5wxsnpp.dlv.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pacep**3Z4i ]Ɋ& !Z4i3 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=269e8bec-00b4-49dd-b502-7115b66556a8 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-c5wxsnpp.dlv.ps1 EngineVersion=4.0 RunspaceId=ab79dd3b-417e-451e-b60f-8cc54cd37bb5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Net**3/5i ]Ɋ& !/5i3 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=269e8bec-00b4-49dd-b502-7115b66556a8 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-c5wxsnpp.dlv.ps1 EngineVersion=4.0 RunspaceId=ab79dd3b-417e-451e-b60f-8cc54cd37bb5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i** 3/5i ]Ɋ& w !X/5i3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=66b1a56c-722a-4faa-b761-0c86625e0b5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t **83/5i ]Ɋ&  !X/5i3 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=66b1a56c-722a-4faa-b761-0c86625e0b5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={8 # ignore an ]Ɋ& (GX/5i3 F&rrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0 $ekus ]Ɋ&  {X+i3 F& } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gpb3 F& ]Ɋ& X"i3 F& F&mmandPath= CommandLine=mXndLine= ElfChnk33330}tG=hMu=VysMc&&**83/5i ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X/5i3 F&F%g>9{p(xlMD EventDatauoData !Binaryh FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=66b1a56c-722a-4faa-b761-0c86625e0b5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**03/5i ]Ɋ&  !X/5i3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=66b1a56c-722a-4faa-b761-0c86625e0b5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**0**03/5i ]Ɋ&  !X/5i3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=66b1a56c-722a-4faa-b761-0c86625e0b5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me=0**03/5i ]Ɋ&  !X/5i3 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=66b1a56c-722a-4faa-b761-0c86625e0b5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eI0**3/5i ]Ɋ&  !/5i3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=66b1a56c-722a-4faa-b761-0c86625e0b5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5a384bfc-73c4-4595-973b-4a95d8d41272 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ac**35i ]Ɋ&  !5i3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=66b1a56c-722a-4faa-b761-0c86625e0b5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5a384bfc-73c4-4595-973b-4a95d8d41272 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Engi** 35i ]Ɋ&  !X5i3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e4e31ab1-0cfd-490f-a4e9-34ce7661876b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gg ** 35i ]Ɋ&  !X5i3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e4e31ab1-0cfd-490f-a4e9-34ce7661876b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ly ** 35i ]Ɋ&  !X5i3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e4e31ab1-0cfd-490f-a4e9-34ce7661876b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nBat ** 35i ]Ɋ&  !X5i3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e4e31ab1-0cfd-490f-a4e9-34ce7661876b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ber= ** 35i ]Ɋ&  !X5i3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e4e31ab1-0cfd-490f-a4e9-34ce7661876b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= sti ** 35i ]Ɋ&  !X5i3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e4e31ab1-0cfd-490f-a4e9-34ce7661876b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } ** 35i ]Ɋ& ; !5i3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e4e31ab1-0cfd-490f-a4e9-34ce7661876b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=4b78341b-8ab7-461c-839b-c95e766e1a6c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d n **35i ]Ɋ&  !5i3 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=edf4e36b-c1cf-4557-b0db-0cbebea4f38b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=3b9d58dc-5c53-4747-ad77-4d92eda882a8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($ex** 3a6i ]Ɋ& G !a6i3 F&$ StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e4e31ab1-0cfd-490f-a4e9-34ce7661876b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=4b78341b-8ab7-461c-839b-c95e766e1a6c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a **X3K7i ]Ɋ&  !XK7i3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a57f80c9-bb9b-4bdc-936d-0b8bacc0e226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=VaX**p3K7i ]Ɋ&  !XK7i3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a57f80c9-bb9b-4bdc-936d-0b8bacc0e226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= p**p3K7i ]Ɋ&  !XK7i3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a57f80c9-bb9b-4bdc-936d-0b8bacc0e226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hostp**h3K7i ]Ɋ&  !XK7i3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a57f80c9-bb9b-4bdc-936d-0b8bacc0e226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nablh -and $_.Def ]Ɋ& ecXK7i3 F& $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0 $ekus ]Ɋ&  {X+i3 F& } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gpb3 F& ]Ɋ& X"i3 F& F&mmandPath= CommandLine=mXndLine= ElfChnk3333RkJIMu=VysMc&&**h3K7i ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!XK7i3 F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a57f80c9-bb9b-4bdc-936d-0b8bacc0e226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h3K7i ]Ɋ&  !XK7i3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a57f80c9-bb9b-4bdc-936d-0b8bacc0e226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**3K7i ]Ɋ&  !K7i3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a57f80c9-bb9b-4bdc-936d-0b8bacc0e226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=0422c6eb-96d0-4406-ac1e-a7c242de70d1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rov**3K7i ]Ɋ& !K7i3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a57f80c9-bb9b-4bdc-936d-0b8bacc0e226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=0422c6eb-96d0-4406-ac1e-a7c242de70d1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 3K7i ]Ɋ& w !XK7i3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ad5db377-d68e-4f5f-a676-a8a4e078c1c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **83K7i ]Ɋ&  !XK7i3 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ad5db377-d68e-4f5f-a676-a8a4e078c1c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l8**83K7i ]Ɋ&  !XK7i3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ad5db377-d68e-4f5f-a676-a8a4e078c1c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ew-8**03K7i ]Ɋ&  !XK7i3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ad5db377-d68e-4f5f-a676-a8a4e078c1c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cat0**03K7i ]Ɋ&  !XK7i3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ad5db377-d68e-4f5f-a676-a8a4e078c1c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { 0**03K7i ]Ɋ&  !XK7i3 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ad5db377-d68e-4f5f-a676-a8a4e078c1c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=0**3K7i ]Ɋ&  !K7i3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ad5db377-d68e-4f5f-a676-a8a4e078c1c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a1dfb0dc-22a3-4af5-84c7-533c8b127110 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le**3*8i ]Ɋ&  !*8i3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=ad5db377-d68e-4f5f-a676-a8a4e078c1c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a1dfb0dc-22a3-4af5-84c7-533c8b127110 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X3vBi ]Ɋ&  !XvBi3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7ecc5b91-6552-4187-b08c-6bb0cf2997e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $X**p3vBi ]Ɋ&  !XvBi3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7ecc5b91-6552-4187-b08c-6bb0cf2997e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $p**p3vBi ]Ɋ&  !XvBi3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7ecc5b91-6552-4187-b08c-6bb0cf2997e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $Erp**h3vBi ]Ɋ&  !XvBi3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7ecc5b91-6552-4187-b08c-6bb0cf2997e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $Erh**h3vBi ]Ɋ&  !XvBi3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7ecc5b91-6552-4187-b08c-6bb0cf2997e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on= hRunspaceId=  ]Ɋ& crXvBi3 F&mandLine= 0 $ekus ]Ɋ&  {X+i3 F& } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gpb3 F& ]Ɋ& X"i3 F& F&mmandPath= CommandLine=mXndLine= ElfChnk3333)4=Mu=VysMc&&**h3vBi ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! K!XvBi3 F&F%g>9{p(xlMD EventDatauoData !Binary VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7ecc5b91-6552-4187-b08c-6bb0cf2997e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**3vBi ]Ɋ&  !vBi3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7ecc5b91-6552-4187-b08c-6bb0cf2997e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=310b5637-eca0-4bb4-8d9a-37eafd4b959a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**3vBi ]Ɋ& !vBi3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7ecc5b91-6552-4187-b08c-6bb0cf2997e9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=310b5637-eca0-4bb4-8d9a-37eafd4b959a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X3 Mi ]Ɋ&  !X Mi3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=dcf15b6e-502d-4d0f-b194-6ce9a6c7541c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=LiX**p3 Mi ]Ɋ&  !X Mi3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=dcf15b6e-502d-4d0f-b194-6ce9a6c7541c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**p3 Mi ]Ɋ&  !X Mi3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=dcf15b6e-502d-4d0f-b194-6ce9a6c7541c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h3 Mi ]Ɋ&  !X Mi3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=dcf15b6e-502d-4d0f-b194-6ce9a6c7541c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h3 Mi ]Ɋ&  !X Mi3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=dcf15b6e-502d-4d0f-b194-6ce9a6c7541c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tarth**h3 Mi ]Ɋ&  !X Mi3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=dcf15b6e-502d-4d0f-b194-6ce9a6c7541c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**3 Mi ]Ɋ&  ! Mi3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=dcf15b6e-502d-4d0f-b194-6ce9a6c7541c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=a6f4250a-0803-42c8-8d22-3ca6c933e430 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ole**3 Mi ]Ɋ& ! Mi3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=dcf15b6e-502d-4d0f-b194-6ce9a6c7541c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=a6f4250a-0803-42c8-8d22-3ca6c933e430 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H** 3 Mi ]Ɋ& w !X Mi3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=66c382b8-19b4-4d9e-92ac-4385af0bc1ef HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **83 Mi ]Ɋ&  !X Mi3 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=66c382b8-19b4-4d9e-92ac-4385af0bc1ef HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t8**83 Mi ]Ɋ&  !X Mi3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=66c382b8-19b4-4d9e-92ac-4385af0bc1ef HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ste8**03 Mi ]Ɋ&  !X Mi3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=66c382b8-19b4-4d9e-92ac-4385af0bc1ef HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nS0**03 Mi ]Ɋ&  !X Mi3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=66c382b8-19b4-4d9e-92ac-4385af0bc1ef HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=30**03 Mi ]Ɋ&  !X Mi3 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=66c382b8-19b4-4d9e-92ac-4385af0bc1ef HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0crX ]Ɋ&   Mi3 F&  {X+i3 F& } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gpb3 F& ]Ɋ& X"i3 F& F&mmandPath= CommandLine=mXndLine= ElfChnk3 43 4`'HseŦMu=VysMc&&**3 Mi ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! e! Mi3 F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=66c382b8-19b4-4d9e-92ac-4385af0bc1ef HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d5411f64-1d47-4015-95bd-84792ff32e48 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**38Ni ]Ɋ&  !8Ni3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=66c382b8-19b4-4d9e-92ac-4385af0bc1ef HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d5411f64-1d47-4015-95bd-84792ff32e48 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==**38Ni ]Ɋ&  !X8Ni3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=474ccfc1-778e-44f5-9c98-b3085fd2f441 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ath=**38Ni ]Ɋ&  !X8Ni3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=474ccfc1-778e-44f5-9c98-b3085fd2f441 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**48Ni ]Ɋ& !X8Ni4 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=474ccfc1-778e-44f5-9c98-b3085fd2f441 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**48Ni ]Ɋ&  !X8Ni4 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=474ccfc1-778e-44f5-9c98-b3085fd2f441 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FӨ**48Ni ]Ɋ&  !X8Ni4 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=474ccfc1-778e-44f5-9c98-b3085fd2f441 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ov**48Ni ]Ɋ&  !X8Ni4 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=474ccfc1-778e-44f5-9c98-b3085fd2f441 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**48Ni ]Ɋ& O!8Ni4 F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=474ccfc1-778e-44f5-9c98-b3085fd2f441 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=858d25b3-2e92-4b6e-b34b-9e4ac6974a6d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**48Ni ]Ɋ& [!8Ni4 F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=474ccfc1-778e-44f5-9c98-b3085fd2f441 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=858d25b3-2e92-4b6e-b34b-9e4ac6974a6d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d0f**8 4dRi ]Ɋ&  !XdRi4 F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2acecb3e-1705-4027-ae0f-a7c36443c41c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8 **P 4dRi ]Ɋ&  !XdRi4 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2acecb3e-1705-4027-ae0f-a7c36443c41c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=meP **P 4dRi ]Ɋ&  !XdRi4 F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2acecb3e-1705-4027-ae0f-a7c36443c41c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gnorP **H 4dRi ]Ɋ&  !XdRi 4 F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2acecb3e-1705-4027-ae0f-a7c36443c41c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tewaH **H 4dRi ]Ɋ&  !XdRi 4 F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2acecb3e-1705-4027-ae0f-a7c36443c41c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H **H 4dRi ]Ɋ&  !XdRi 4 F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2acecb3e-1705-4027-ae0f-a7c36443c41c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=| WH ** 4VRi ]Ɋ&  !VRi 4 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2acecb3e-1705-4027-ae0f-a7c36443c41c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=b4194529-7bdb-4349-a0e9-2cd34a6289ee PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { $cfg = G ]Ɋ& onVRi 4 F&_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0crX ]Ɋ&   Mi3 F&  {X+i3 F& } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gpb3 F& ]Ɋ& X"i3 F& F&mmandPath= CommandLine=mXndLine= ElfChnk 4"4 4"4h,pDp7Mu=VysMc&&** 4VRi ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !VRi 4 F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2acecb3e-1705-4027-ae0f-a7c36443c41c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=b4194529-7bdb-4349-a0e9-2cd34a6289ee PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=5-** 4VRi ]Ɋ& w !XVRi4 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fa735299-5490-41ca-995e-7bc9690733c4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **84VRi ]Ɋ&  !XVRi4 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fa735299-5490-41ca-995e-7bc9690733c4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r8**84VRi ]Ɋ&  !XVRi4 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fa735299-5490-41ca-995e-7bc9690733c4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sto8**04VRi ]Ɋ&  !XVRi4 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fa735299-5490-41ca-995e-7bc9690733c4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edu0**04VRi ]Ɋ&  !XVRi4 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fa735299-5490-41ca-995e-7bc9690733c4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rig0**04VRi ]Ɋ&  !XVRi4 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fa735299-5490-41ca-995e-7bc9690733c4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th0**4VRi ]Ɋ&  !VRi4 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fa735299-5490-41ca-995e-7bc9690733c4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f0494abf-7103-407a-8c67-2ac867f63fa9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=es**4Si ]Ɋ&  !Si4 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=fa735299-5490-41ca-995e-7bc9690733c4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f0494abf-7103-407a-8c67-2ac867f63fa9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=# De**4Si ]Ɋ& K!XSi4 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a6bef5cb-641a-4bbd-aa9e-62b58333c9d8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hos**4Si ]Ɋ& c!XSi4 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a6bef5cb-641a-4bbd-aa9e-62b58333c9d8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ry **4Si ]Ɋ& _!XSi4 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a6bef5cb-641a-4bbd-aa9e-62b58333c9d8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**4Si ]Ɋ& W!XSi4 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a6bef5cb-641a-4bbd-aa9e-62b58333c9d8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**4Si ]Ɋ& W!XSi4 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a6bef5cb-641a-4bbd-aa9e-62b58333c9d8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**4Si ]Ɋ& Y!XSi4 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a6bef5cb-641a-4bbd-aa9e-62b58333c9d8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ern **X4Si ]Ɋ& !Si4 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a6bef5cb-641a-4bbd-aa9e-62b58333c9d8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=5f677a0b-62b2-41c7-92b8-cacb64096f73 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ionDX**`4Si ]Ɋ& !Si4 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a6bef5cb-641a-4bbd-aa9e-62b58333c9d8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=5f677a0b-62b2-41c7-92b8-cacb64096f73 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** 4Si ]Ɋ& w !XSi4 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f61c8471-5095-48e5-8e91-d6ac0aa1a36b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l **84Si ]Ɋ&  !XSi4 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f61c8471-5095-48e5-8e91-d6ac0aa1a36b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**8 4Si ]Ɋ&  !XSi 4 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f61c8471-5095-48e5-8e91-d6ac0aa1a36b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ c8**0!4Si ]Ɋ&  !XSi!4 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f61c8471-5095-48e5-8e91-d6ac0aa1a36b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mIn0**0"4Si ]Ɋ&  !XSi"4 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f61c8471-5095-48e5-8e91-d6ac0aa1a36b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xce0ion.Message) ]Ɋ&  XSi#4 F&CommandType= ScriptName= CommandPath= CommandLine=gpb3 F& ]Ɋ& X"i3 F& F&mmandPath= CommandLine=mXndLine= ElfChnk#454#454rMu=VysMc&&**8#4Si ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XSi#4 F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f61c8471-5095-48e5-8e91-d6ac0aa1a36b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=V8**$4Si ]Ɋ&  !Si$4 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f61c8471-5095-48e5-8e91-d6ac0aa1a36b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=199e82a4-774e-4159-bdc3-1e457694c3ca PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P**%4.Ti ]Ɋ&  !.Ti%4 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=f61c8471-5095-48e5-8e91-d6ac0aa1a36b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=199e82a4-774e-4159-bdc3-1e457694c3ca PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==Sta** &4.Ti ]Ɋ&  !X.Ti&4 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9cb10d8b-4aa8-41ca-bf00-d385d59e2930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t ** '4.Ti ]Ɋ&  !X.Ti'4 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9cb10d8b-4aa8-41ca-bf00-d385d59e2930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c ** (4.Ti ]Ɋ&  !X.Ti(4 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9cb10d8b-4aa8-41ca-bf00-d385d59e2930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=733 ** )4.Ti ]Ɋ&  !X.Ti)4 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9cb10d8b-4aa8-41ca-bf00-d385d59e2930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=led ** *4.Ti ]Ɋ&  !X.Ti*4 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9cb10d8b-4aa8-41ca-bf00-d385d59e2930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** +4.Ti ]Ɋ&  !X.Ti+4 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9cb10d8b-4aa8-41ca-bf00-d385d59e2930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nP ** ,4.Ti ]Ɋ& e !.Ti,4 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9cb10d8b-4aa8-41ca-bf00-d385d59e2930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=109cca0d-8020-47ab-8117-aee3f881027d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}  **X-4Ti ]Ɋ&  !XTi-4 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=30f42b11-2d5b-40d8-bbfe-8a6a27ad04cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= cX**p.4Ti ]Ɋ&  !XTi.4 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=30f42b11-2d5b-40d8-bbfe-8a6a27ad04cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**p/4Ti ]Ɋ&  !XTi/4 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=30f42b11-2d5b-40d8-bbfe-8a6a27ad04cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=calDp**h04Ti ]Ɋ&  !XTi04 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=30f42b11-2d5b-40d8-bbfe-8a6a27ad04cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cacbh**h14Ti ]Ɋ&  !XTi14 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=30f42b11-2d5b-40d8-bbfe-8a6a27ad04cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0-00h**h24Ti ]Ɋ&  !XTi24 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=30f42b11-2d5b-40d8-bbfe-8a6a27ad04cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**34Ti ]Ɋ&  !Ti34 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=30f42b11-2d5b-40d8-bbfe-8a6a27ad04cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=3ad85e0c-933a-4ef9-b5f8-f2ed8aa6bcc0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **44Ti ]Ɋ& !Ti44 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=30f42b11-2d5b-40d8-bbfe-8a6a27ad04cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=3ad85e0c-933a-4ef9-b5f8-f2ed8aa6bcc0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}**X54Ti ]Ɋ&  !XTi54 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ea97599d-f46d-4502-9bdc-15c04c2b6032 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {X # ignore an ]Ɋ& (GXTi64 F&rrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xce0ion.Message) ]Ɋ&  XSi#4 F&CommandType= ScriptName= CommandPath= CommandLine=gpb3 F& ]Ɋ& X"i3 F& F&mmandPath= CommandLine=mXndLine= ElfChnk64J464J4u*(Mu=VysMc&&**x64Ti ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! U!XTi64 F&F%g>9{p(xlMD EventDatauoData !Binary EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ea97599d-f46d-4502-9bdc-15c04c2b6032 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x**p74Ti ]Ɋ&  !XTi74 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ea97599d-f46d-4502-9bdc-15c04c2b6032 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h84Ti ]Ɋ&  !XTi84 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ea97599d-f46d-4502-9bdc-15c04c2b6032 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**h**h94Ti ]Ɋ&  !XTi94 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ea97599d-f46d-4502-9bdc-15c04c2b6032 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=aceIh**h:4Ti ]Ɋ&  !XTi:4 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ea97599d-f46d-4502-9bdc-15c04c2b6032 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ypeh**;4Ti ]Ɋ&  !Ti;4 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ea97599d-f46d-4502-9bdc-15c04c2b6032 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=48144996-3e1a-44f7-b232-7db1cc92aad9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x $** <4Ti ]Ɋ& q !Ti<4 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9cb10d8b-4aa8-41ca-bf00-d385d59e2930 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=109cca0d-8020-47ab-8117-aee3f881027d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **=4Ti ]Ɋ& !Ti=4 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ea97599d-f46d-4502-9bdc-15c04c2b6032 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=48144996-3e1a-44f7-b232-7db1cc92aad9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**8>4Ti ]Ɋ& !XTi>4 F&hAliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5ca70ac0-853f-4507-9230-bdfeeac29d3c HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ert8**P?4Ti ]Ɋ& !XTi?4 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5ca70ac0-853f-4507-9230-bdfeeac29d3c HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P**H@4Ti ]Ɋ& !XTi@4 F&|FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5ca70ac0-853f-4507-9230-bdfeeac29d3c HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gH**@A4Ti ]Ɋ& !XTiA4 F&tFunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5ca70ac0-853f-4507-9230-bdfeeac29d3c HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @**@B4Ti ]Ɋ& !XTiB4 F&tRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5ca70ac0-853f-4507-9230-bdfeeac29d3c HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.@**HC4Ti ]Ɋ& !XTiC4 F&vVariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5ca70ac0-853f-4507-9230-bdfeeac29d3c HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t { H**D4Ti ]Ɋ& !TiD4 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5ca70ac0-853f-4507-9230-bdfeeac29d3c HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=da784a3f-b23f-4d08-9bf6-f9e0ffe2df78 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onS**E4FUi ]Ɋ& !FUiE4 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5ca70ac0-853f-4507-9230-bdfeeac29d3c HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=da784a3f-b23f-4d08-9bf6-f9e0ffe2df78 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **F4FUi ]Ɋ& %!XFUiF4 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ab654804-fed2-433b-9f7d-050e4625a219 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ec**G4FUi ]Ɋ& =!XFUiG4 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ab654804-fed2-433b-9f7d-050e4625a219 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **H4FUi ]Ɋ& 9!XFUiH4 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ab654804-fed2-433b-9f7d-050e4625a219 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=]Ɋ&**I4FUi ]Ɋ& 1!XFUiI4 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ab654804-fed2-433b-9f7d-050e4625a219 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ower**J4FUi ]Ɋ& 1!XFUiJ4 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ab654804-fed2-433b-9f7d-050e4625a219 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PipeneId= Comm ]Ɋ& PaXFUiK4 F&n.Message) ]Ɋ&  XSi#4 F&CommandType= ScriptName= CommandPath= CommandLine=gpb3 F& ]Ɋ& X"i3 F& F&mmandPath= CommandLine=mXndLine= ElfChnkK4m4K4m4xJMu=VysMc&&**K4FUi ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XFUiK4 F&F%g>9{p(xlMD EventDatauoData !BinaryVariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ab654804-fed2-433b-9f7d-050e4625a219 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**0L4FUi ]Ɋ& !FUiL4 F&`AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ab654804-fed2-433b-9f7d-050e4625a219 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=e2b39717-df72-4503-9679-93a26918ce8f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=STA0**8M4ݐVi ]Ɋ& !ݐViM4 F&lStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ab654804-fed2-433b-9f7d-050e4625a219 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=e2b39717-df72-4503-9679-93a26918ce8f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=K8**xN4ݐVi ]Ɋ& !XݐViN4 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=dd1cfdf8-c555-446f-8c3c-9421a9ad5180 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==Varx**O4ݐVi ]Ɋ& !XݐViO4 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=dd1cfdf8-c555-446f-8c3c-9421a9ad5180 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ere-**P4ݐVi ]Ɋ& !XݐViP4 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=dd1cfdf8-c555-446f-8c3c-9421a9ad5180 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tV**Q4ݐVi ]Ɋ& !XݐViQ4 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=dd1cfdf8-c555-446f-8c3c-9421a9ad5180 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s **R4ݐVi ]Ɋ& !XݐViR4 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=dd1cfdf8-c555-446f-8c3c-9421a9ad5180 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-4**S4ݐVi ]Ɋ& !XݐViS4 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=dd1cfdf8-c555-446f-8c3c-9421a9ad5180 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **T4ݐVi ]Ɋ& '!ݐViT4 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=dd1cfdf8-c555-446f-8c3c-9421a9ad5180 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=506e0bb9-2618-43fa-9d38-72781815f384 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **U4ݐVi ]Ɋ& 3!ݐViU4 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=dd1cfdf8-c555-446f-8c3c-9421a9ad5180 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=506e0bb9-2618-43fa-9d38-72781815f384 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**V4ݐVi ]Ɋ& 7!XݐViV4 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d1acbef5-88b2-419d-b207-ed7c0839ea39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**W4ݐVi ]Ɋ& O!XݐViW4 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d1acbef5-88b2-419d-b207-ed7c0839ea39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X4ݐVi ]Ɋ& K!XݐViX4 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d1acbef5-88b2-419d-b207-ed7c0839ea39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pi**Y4ݐVi ]Ɋ& C!XݐViY4 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d1acbef5-88b2-419d-b207-ed7c0839ea39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=it **Z4ݐVi ]Ɋ& C!XݐViZ4 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d1acbef5-88b2-419d-b207-ed7c0839ea39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h {**[4ݐVi ]Ɋ& E!XݐVi[4 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d1acbef5-88b2-419d-b207-ed7c0839ea39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$i**@\4ݐVi ]Ɋ& !ݐVi\4 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d1acbef5-88b2-419d-b207-ed7c0839ea39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=2bb5add0-1444-4edc-95aa-c278d9597729 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on@**P]4s)Wi ]Ɋ& !s)Wi]4 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d1acbef5-88b2-419d-b207-ed7c0839ea39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=2bb5add0-1444-4edc-95aa-c278d9597729 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=DescP**H^4"i ]Ɋ& !X"i^4 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=320da9e6-0c78-4f02-ba91-87e47836b9f9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9H**`_4"i ]Ɋ& !X"i_4 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=320da9e6-0c78-4f02-ba91-87e47836b9f9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i`**``4"i ]Ɋ& !X"i`4 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=320da9e6-0c78-4f02-ba91-87e47836b9f9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== $`**Xa4"i ]Ɋ& !X"ia4 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=320da9e6-0c78-4f02-ba91-87e47836b9f9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s X**Xb4"i ]Ɋ& !X"ib4 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=320da9e6-0c78-4f02-ba91-87e47836b9f9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=IntX**Xc4"i ]Ɋ& !X"ic4 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=320da9e6-0c78-4f02-ba91-87e47836b9f9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=plX**d4"i ]Ɋ& !"id4 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=320da9e6-0c78-4f02-ba91-87e47836b9f9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=47a9d02f-7df5-489a-88ad-b71ccd6f3c0d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **e4Xi ]Ɋ&  !Xie4 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=320da9e6-0c78-4f02-ba91-87e47836b9f9 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=47a9d02f-7df5-489a-88ad-b71ccd6f3c0d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C**f4j ]Ɋ& K!Xjf4 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f5f4ebf7-db8c-414c-a948-9218ef8ec2c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ths**g4j ]Ɋ& c!Xjg4 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f5f4ebf7-db8c-414c-a948-9218ef8ec2c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine='[^**h4j ]Ɋ& _!Xjh4 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f5f4ebf7-db8c-414c-a948-9218ef8ec2c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=F**i4j ]Ɋ& W!Xji4 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f5f4ebf7-db8c-414c-a948-9218ef8ec2c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **j4j ]Ɋ& W!Xjj4 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f5f4ebf7-db8c-414c-a948-9218ef8ec2c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c**k4j ]Ɋ& Y!Xjk4 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f5f4ebf7-db8c-414c-a948-9218ef8ec2c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tVer**Xl4j ]Ɋ& !jl4 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f5f4ebf7-db8c-414c-a948-9218ef8ec2c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=9566c0ef-4618-4ef1-8e1e-093a241c4d25 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=atchX**`m4j ]Ɋ& !jm4 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f5f4ebf7-db8c-414c-a948-9218ef8ec2c1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=9566c0ef-4618-4ef1-8e1e-093a241c4d25 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P`kageID = $pa ]Ɋ& onXjn4 F&rite-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PipeneId= Comm ]Ɋ& PaXFUiK4 F&n.Message) ]Ɋ&  XSi#4 F&CommandType= ScriptName= CommandPath= CommandLine=gpb3 F& ]Ɋ& X"i3 F& F&mmandPath= CommandLine=mXndLine= ElfChnkn44n44w|$Mu=VysMc&&**(n4j ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !Xjn4 F&F%g>9{p(xlMD EventDatauoData !BinaryT AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=40d63806-f5c1-43c5-b6e5-1fef6f8ea632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= (**8o4j ]Ɋ&  !Xjo4 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=40d63806-f5c1-43c5-b6e5-1fef6f8ea632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=]8**8p4j ]Ɋ&  !Xjp4 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=40d63806-f5c1-43c5-b6e5-1fef6f8ea632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=or)8**0q4j ]Ɋ&  !Xjq4 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=40d63806-f5c1-43c5-b6e5-1fef6f8ea632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= | 0**0r4j ]Ɋ&  !Xjr4 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=40d63806-f5c1-43c5-b6e5-1fef6f8ea632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me 0**0s4j ]Ɋ&  !Xjs4 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=40d63806-f5c1-43c5-b6e5-1fef6f8ea632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in0**t4j ]Ɋ&  !jt4 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=40d63806-f5c1-43c5-b6e5-1fef6f8ea632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=2e306688-0273-4a8a-93b1-084190936a97 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nt**u4Jfj ]Ɋ&  !Jfju4 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=40d63806-f5c1-43c5-b6e5-1fef6f8ea632 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=2e306688-0273-4a8a-93b1-084190936a97 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ppli** v4Jfj ]Ɋ&  !XJfjv4 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=aa7fc2b3-aee2-4154-a9d2-2f76dbde2881 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** w4Jfj ]Ɋ&  !XJfjw4 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=aa7fc2b3-aee2-4154-a9d2-2f76dbde2881 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** x4Jfj ]Ɋ&  !XJfjx4 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=aa7fc2b3-aee2-4154-a9d2-2f76dbde2881 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sio ** y4Jfj ]Ɋ&  !XJfjy4 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=aa7fc2b3-aee2-4154-a9d2-2f76dbde2881 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Pip ** z4Jfj ]Ɋ&  !XJfjz4 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=aa7fc2b3-aee2-4154-a9d2-2f76dbde2881 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ass ** {4Jfj ]Ɋ&  !XJfj{4 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=aa7fc2b3-aee2-4154-a9d2-2f76dbde2881 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=am ** |4Jfj ]Ɋ& e !Jfj|4 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=aa7fc2b3-aee2-4154-a9d2-2f76dbde2881 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c3700368-9f06-4b68-b178-4bdefcf8b340 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S ** }4j ]Ɋ& q !j}4 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=aa7fc2b3-aee2-4154-a9d2-2f76dbde2881 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c3700368-9f06-4b68-b178-4bdefcf8b340 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0da9 **~4wj ]Ɋ& 7!Xwj~4 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8ae6c2cf-e191-486f-8401-358066c4937d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**4wj ]Ɋ& O!Xwj4 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8ae6c2cf-e191-486f-8401-358066c4937d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3**4wj ]Ɋ& K!Xwj4 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8ae6c2cf-e191-486f-8401-358066c4937d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t -**4wj ]Ɋ& C!Xwj4 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8ae6c2cf-e191-486f-8401-358066c4937d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Wmi**4wj ]Ɋ& C!Xwj4 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8ae6c2cf-e191-486f-8401-358066c4937d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd **4wj ]Ɋ& E!Xwj4 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8ae6c2cf-e191-486f-8401-358066c4937d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s **@4wj ]Ɋ& !wj4 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8ae6c2cf-e191-486f-8401-358066c4937d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=248f6583-a882-4c44-a555-45641399bfdd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Cl@**P40j ]Ɋ& !0j4 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8ae6c2cf-e191-486f-8401-358066c4937d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=248f6583-a882-4c44-a555-45641399bfdd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-WmiP } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= hbreak  ]Ɋ& ouXy/d F& } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c68a1d59-10b2-435a-89ca-883f3eea75ca PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nginersion= Ru ]Ɋ& dTX*/Q F&ath= CommandLine=`F&ndLine=hS5ElfChnkpZMu=VysMc&&**0[^0 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X[^0 F&F%g>9{p(xlMD EventDatauoData !Binary` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=46c66467-f995-4b65-bd8d-fdbbedc17998 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0[^0 ]Ɋ&  !X[^0 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=46c66467-f995-4b65-bd8d-fdbbedc17998 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and0**0[^0 ]Ɋ&  !X[^0 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=46c66467-f995-4b65-bd8d-fdbbedc17998 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1c0**[^0 ]Ɋ&  ![^0 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=46c66467-f995-4b65-bd8d-fdbbedc17998 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=70a77a45-9bdc-4106-96c1-09814cb9aad4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gi**_0 ]Ɋ&  !_0 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=46c66467-f995-4b65-bd8d-fdbbedc17998 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=70a77a45-9bdc-4106-96c1-09814cb9aad4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Sta** _0 ]Ɋ&  !X_0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9bd85a5f-07fc-407f-8a59-637c5abce3e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S ** _0 ]Ɋ&  !X_0 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9bd85a5f-07fc-407f-8a59-637c5abce3e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** _0 ]Ɋ&  !X_0 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9bd85a5f-07fc-407f-8a59-637c5abce3e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Byp ** _0 ]Ɋ&  !X_0 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9bd85a5f-07fc-407f-8a59-637c5abce3e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** _0 ]Ɋ&  !X_0 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9bd85a5f-07fc-407f-8a59-637c5abce3e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me= ** _0 ]Ɋ&  !X_0 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9bd85a5f-07fc-407f-8a59-637c5abce3e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** _0 ]Ɋ& e !_0 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9bd85a5f-07fc-407f-8a59-637c5abce3e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=ac3beaae-7568-45d3-b74c-5df9bd9f1fdb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==1 ** _0 ]Ɋ& q !_0 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9bd85a5f-07fc-407f-8a59-637c5abce3e6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=ac3beaae-7568-45d3-b74c-5df9bd9f1fdb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ass **_0 ]Ɋ& 7!X_0 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1826a873-5b56-479a-8817-d451779a9606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**_0 ]Ɋ& O!X_0 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1826a873-5b56-479a-8817-d451779a9606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**_0 ]Ɋ& K!X_0 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1826a873-5b56-479a-8817-d451779a9606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cy **_0 ]Ɋ& C!X_0 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1826a873-5b56-479a-8817-d451779a9606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tio**_0 ]Ɋ& C!X_0 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1826a873-5b56-479a-8817-d451779a9606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ve **_0 ]Ɋ& E!X_0 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1826a873-5b56-479a-8817-d451779a9606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=No**@_0 ]Ɋ& !_0 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1826a873-5b56-479a-8817-d451779a9606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=212c00de-31c5-4246-bbb7-dac5df076a47 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l.@**PJ`0 ]Ɋ& !J`0 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1826a873-5b56-479a-8817-d451779a9606 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=212c00de-31c5-4246-bbb7-dac5df076a47 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -NP**i0 ]Ɋ&  !i0 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1f93ec2c-507d-4b8a-86d4-96bd8c540992 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a4a6bf2b-e1c0-4b3d-8ae6-0fdbf1acf654 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=acAd**HZ 1 ]Ɋ& !XZ 1 F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=df86a5fa-2d85-42fb-a7c6-cbe45a0d357c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2H**`Z 1 ]Ɋ& !XZ 1 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=df86a5fa-2d85-42fb-a7c6-cbe45a0d357c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n`**`Z 1 ]Ɋ& !XZ 1 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=df86a5fa-2d85-42fb-a7c6-cbe45a0d357c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rfa`**XZ 1 ]Ɋ& !XZ 1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=df86a5fa-2d85-42fb-a7c6-cbe45a0d357c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e-OX**XZ 1 ]Ɋ& !XZ 1 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=df86a5fa-2d85-42fb-a7c6-cbe45a0d357c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**XZ 1 ]Ɋ& !XZ 1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=df86a5fa-2d85-42fb-a7c6-cbe45a0d357c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-CX**Z 1 ]Ɋ& !Z 1 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=df86a5fa-2d85-42fb-a7c6-cbe45a0d357c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=21d1b0bc-7729-4e27-b9b8-a54c688f7489 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=or**P1 ]Ɋ& K!XP1 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b96ea86f-ab67-4ffb-a205-5f49fd2e100e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=emp**P1 ]Ɋ& c!XP1 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b96ea86f-ab67-4ffb-a205-5f49fd2e100e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ati | Where-Obj ]Ɋ& d XP1 F&ct -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c68a1d59-10b2-435a-89ca-883f3eea75ca PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nginersion= Ru ]Ɋ& dTX*/Q F&ath= CommandLine=`F&ndLine=hS5ElfChnkR"_ iMu=VysMc&&** P1 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XP1 F&F%g>9{p(xlMD EventDatauoData !Binary<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b96ea86f-ab67-4ffb-a205-5f49fd2e100e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ro **P1 ]Ɋ& W!XP1 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b96ea86f-ab67-4ffb-a205-5f49fd2e100e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**P1 ]Ɋ& W!XP1 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b96ea86f-ab67-4ffb-a205-5f49fd2e100e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**P1 ]Ɋ& Y!XP1 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b96ea86f-ab67-4ffb-a205-5f49fd2e100e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Cla**XP1 ]Ɋ& !P1 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b96ea86f-ab67-4ffb-a205-5f49fd2e100e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b7a5f360-630e-4735-8596-4da8abfab498 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8d-fX**`P1 ]Ɋ& !P1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b96ea86f-ab67-4ffb-a205-5f49fd2e100e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b7a5f360-630e-4735-8596-4da8abfab498 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** P1 ]Ɋ& w !XP1 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5c6a3042-d31c-4d18-bfd6-d1f3719505e3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8P1 ]Ɋ&  !XP1 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5c6a3042-d31c-4d18-bfd6-d1f3719505e3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a8**8P1 ]Ɋ&  !XP1 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5c6a3042-d31c-4d18-bfd6-d1f3719505e3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e {8**0P1 ]Ɋ&  !XP1 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5c6a3042-d31c-4d18-bfd6-d1f3719505e3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NoP0**0P1 ]Ɋ&  !XP1 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5c6a3042-d31c-4d18-bfd6-d1f3719505e3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @{0**0P1 ]Ɋ&  !XP1 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5c6a3042-d31c-4d18-bfd6-d1f3719505e3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=0**P1 ]Ɋ&  !P1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5c6a3042-d31c-4d18-bfd6-d1f3719505e3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=500e1dc3-d880-49d3-be0e-cbfb669be996 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.C**O1 ]Ɋ&  !O1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=5c6a3042-d31c-4d18-bfd6-d1f3719505e3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=500e1dc3-d880-49d3-be0e-cbfb669be996 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= FӐ** O1 ]Ɋ&  !XO1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=02be37dd-e28a-4db1-a4e2-88c237313007 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} ** O1 ]Ɋ&  !XO1 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=02be37dd-e28a-4db1-a4e2-88c237313007 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h ** O1 ]Ɋ&  !XO1 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=02be37dd-e28a-4db1-a4e2-88c237313007 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** O1 ]Ɋ&  !XO1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=02be37dd-e28a-4db1-a4e2-88c237313007 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=res ** O1 ]Ɋ&  !XO1 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=02be37dd-e28a-4db1-a4e2-88c237313007 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tat ** O1 ]Ɋ&  !XO1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=02be37dd-e28a-4db1-a4e2-88c237313007 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d8 ** O1 ]Ɋ& e !O1 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=02be37dd-e28a-4db1-a4e2-88c237313007 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=ccb85b9c-878a-4948-93eb-e6a8ade9f475 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=he ** 1 ]Ɋ& q !1 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=02be37dd-e28a-4db1-a4e2-88c237313007 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=ccb85b9c-878a-4948-93eb-e6a8ade9f475 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **1 ]Ɋ& 7!X1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8a785c43-74a6-40e0-9e56-d8a636286ff5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H**1 ]Ɋ& O!X1 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8a785c43-74a6-40e0-9e56-d8a636286ff5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**1 ]Ɋ& K!X1 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8a785c43-74a6-40e0-9e56-d8a636286ff5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ $c } Engin ]Ɋ& caX1 F& CommandName= CommandType= ScriptName= CommandPath= CommandLine=nginersion= Ru ]Ɋ& dTX*/Q F&ath= CommandLine=`F&ndLine=hS5ElfChnkp7i8;&Mu=VysMc&&** 1 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X1 F&F%g>9{p(xlMD EventDatauoData !Binary FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8a785c43-74a6-40e0-9e56-d8a636286ff5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **1 ]Ɋ& C!X1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8a785c43-74a6-40e0-9e56-d8a636286ff5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndP**1 ]Ɋ& E!X1 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8a785c43-74a6-40e0-9e56-d8a636286ff5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **@1 ]Ɋ& !1 F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8a785c43-74a6-40e0-9e56-d8a636286ff5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=d8ddcbf6-dbb2-4864-bb13-1142a21ca9cd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@**P1 ]Ɋ& !1 F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8a785c43-74a6-40e0-9e56-d8a636286ff5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=d8ddcbf6-dbb2-4864-bb13-1142a21ca9cd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ine=P**/"1 ]Ɋ&  !/"1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=df86a5fa-2d85-42fb-a7c6-cbe45a0d357c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=21d1b0bc-7729-4e27-b9b8-a54c688f7489 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=amdi**Xf1 ]Ɋ&  !Xf1 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b5bba1e5-a371-49c3-bd07-a49f6b53ff6d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $X**pf1 ]Ɋ&  !Xf1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b5bba1e5-a371-49c3-bd07-a49f6b53ff6d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {p**pf1 ]Ɋ&  !Xf1 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b5bba1e5-a371-49c3-bd07-a49f6b53ff6d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mac)p**hf1 ]Ɋ&  !Xf1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b5bba1e5-a371-49c3-bd07-a49f6b53ff6d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on= h**hf1 ]Ɋ&  !Xf1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b5bba1e5-a371-49c3-bd07-a49f6b53ff6d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Id= h**hf1 ]Ɋ&  !Xf1 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b5bba1e5-a371-49c3-bd07-a49f6b53ff6d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Typh**f1 ]Ɋ&  !f1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b5bba1e5-a371-49c3-bd07-a49f6b53ff6d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=19589ec3-d719-4523-ba6c-f9416921081f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dPa**1 ]Ɋ& !1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b5bba1e5-a371-49c3-bd07-a49f6b53ff6d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=19589ec3-d719-4523-ba6c-f9416921081f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X7 1 ]Ɋ&  !X7 1 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9a17a75b-60d5-45a9-88ed-9785276c9565 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=teX**p7 1 ]Ɋ&  !X7 1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9a17a75b-60d5-45a9-88ed-9785276c9565 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omp**p7 1 ]Ɋ&  !X7 1 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9a17a75b-60d5-45a9-88ed-9785276c9565 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=g = p**h7 1 ]Ɋ&  !X7 1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9a17a75b-60d5-45a9-88ed-9785276c9565 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Versh**h7 1 ]Ɋ&  !X7 1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9a17a75b-60d5-45a9-88ed-9785276c9565 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -eqh**h7 1 ]Ɋ&  !X7 1 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9a17a75b-60d5-45a9-88ed-9785276c9565 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hoshd=8a785c43-7 ]Ɋ& we7 1 F&eractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**1 ]Ɋ& K!X1 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8a785c43-74a6-40e0-9e56-d8a636286ff5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ $c } Engin ]Ɋ& caX1 F& CommandName= CommandType= ScriptName= CommandPath= CommandLine=nginersion= Ru ]Ɋ& dTX*/Q F&ath= CommandLine=`F&ndLine=hS5ElfChnk{Qb$Mu=VysMc&&**7 1 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !7 1 F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9a17a75b-60d5-45a9-88ed-9785276c9565 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ad2ca79c-a051-4c11-a204-07a00ae20c07 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**7 1 ]Ɋ& !7 1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9a17a75b-60d5-45a9-88ed-9785276c9565 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ad2ca79c-a051-4c11-a204-07a00ae20c07 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8** 7 1 ]Ɋ& w !X7 1 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d746f64f-73c9-4c57-b262-8f509eb3d7bb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=W **87 1 ]Ɋ&  !X7 1 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d746f64f-73c9-4c57-b262-8f509eb3d7bb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**87 1 ]Ɋ&  !X7 1 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d746f64f-73c9-4c57-b262-8f509eb3d7bb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n O8**07 1 ]Ɋ&  !X7 1 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d746f64f-73c9-4c57-b262-8f509eb3d7bb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=(En0**07 1 ]Ɋ&  !X7 1 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d746f64f-73c9-4c57-b262-8f509eb3d7bb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tif0**07 1 ]Ɋ&  !X7 1 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d746f64f-73c9-4c57-b262-8f509eb3d7bb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**7 1 ]Ɋ&  !7 1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d746f64f-73c9-4c57-b262-8f509eb3d7bb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b383ad6a-1b76-4f7c-8fa7-481bb18de067 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= =**Ρ1 ]Ɋ&  !Ρ1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=d746f64f-73c9-4c57-b262-8f509eb3d7bb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b383ad6a-1b76-4f7c-8fa7-481bb18de067 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Cert**Ρ1 ]Ɋ&  !XΡ1 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=57d92d20-0623-440a-ac67-7fce792c280b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erCe**Ρ1 ]Ɋ&  !XΡ1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=57d92d20-0623-440a-ac67-7fce792c280b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=g.Si**Ρ1 ]Ɋ& !XΡ1 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=57d92d20-0623-440a-ac67-7fce792c280b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Us**Ρ1 ]Ɋ&  !XΡ1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=57d92d20-0623-440a-ac67-7fce792c280b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= O**Ρ1 ]Ɋ&  !XΡ1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=57d92d20-0623-440a-ac67-7fce792c280b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t **Ρ1 ]Ɋ&  !XΡ1 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=57d92d20-0623-440a-ac67-7fce792c280b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**Ρ1 ]Ɋ& O!Ρ1 F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=57d92d20-0623-440a-ac67-7fce792c280b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=1774ac03-775c-4ea1-aceb-1b59a8137f33 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i= Runspace ]Ɋ&  d:1 F& CommandLine={ $c } Engin ]Ɋ& caX1 F& CommandName= CommandType= ScriptName= CommandPath= CommandLine=nginersion= Ru ]Ɋ& dTX*/Q F&ath= CommandLine=`F&ndLine=hS5ElfChnk(Q:uMu=VysMc&&**d:1 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !d:1 F&F%g>9{p(xlMD EventDatauoData !Binary8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=57d92d20-0623-440a-ac67-7fce792c280b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=1774ac03-775c-4ea1-aceb-1b59a8137f33 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**8 ra1 ]Ɋ&  !Xra1 F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6e1bd6b3-bd39-4b97-a4e9-3324f021ab98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gi8 **P ra1 ]Ɋ&  !Xra1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6e1bd6b3-bd39-4b97-a4e9-3324f021ab98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_.P **P ra1 ]Ɋ&  !Xra1 F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6e1bd6b3-bd39-4b97-a4e9-3324f021ab98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== GeP **H ra1 ]Ɋ&  !Xra1 F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6e1bd6b3-bd39-4b97-a4e9-3324f021ab98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-ObjH **H ra1 ]Ɋ&  !Xra1 F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6e1bd6b3-bd39-4b97-a4e9-3324f021ab98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -EH **H ra1 ]Ɋ&  !Xra1 F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6e1bd6b3-bd39-4b97-a4e9-3324f021ab98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H ** ra1 ]Ɋ&  !ra1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6e1bd6b3-bd39-4b97-a4e9-3324f021ab98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=7992af0f-a83f-4da1-bdf3-2501b94b1486 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** ra1 ]Ɋ&  !ra1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6e1bd6b3-bd39-4b97-a4e9-3324f021ab98 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=7992af0f-a83f-4da1-bdf3-2501b94b1486 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 ** ra1 ]Ɋ& w !Xra1 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2efe40ca-c548-41d1-9001-a6b42196878e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=. **8ra1 ]Ɋ&  !Xra1 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2efe40ca-c548-41d1-9001-a6b42196878e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u8**8ra1 ]Ɋ&  !Xra1 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2efe40ca-c548-41d1-9001-a6b42196878e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=for8**0ra1 ]Ɋ&  !Xra1 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2efe40ca-c548-41d1-9001-a6b42196878e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $s0**0ra1 ]Ɋ&  !Xra1 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2efe40ca-c548-41d1-9001-a6b42196878e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=inu0**0ra1 ]Ɋ&  !Xra1 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2efe40ca-c548-41d1-9001-a6b42196878e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ig0**ra1 ]Ɋ&  !ra1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2efe40ca-c548-41d1-9001-a6b42196878e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5176be30-0d73-4d87-a390-aabee9da2a52 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s ** 1 ]Ɋ&  ! 1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=2efe40ca-c548-41d1-9001-a6b42196878e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5176be30-0d73-4d87-a390-aabee9da2a52 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Goin** 1 ]Ɋ& K!X 1 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=98d1ae68-c539-4f64-9b9e-48617a6e032b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ew-** 1 ]Ɋ& c!X 1 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=98d1ae68-c539-4f64-9b9e-48617a6e032b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=F& Comma ]Ɋ& atX 1 F&sion= Ru ]Ɋ& dTX*/Q F&ath= CommandLine=`F&ndLine=hS5ElfChnk  XcmY |Mu=VysMc&&**  1 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X 1 F&F%g>9{p(xlMD EventDatauoData !Binary<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=98d1ae68-c539-4f64-9b9e-48617a6e032b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}  ** 1 ]Ɋ& W!X 1 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=98d1ae68-c539-4f64-9b9e-48617a6e032b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** 1 ]Ɋ& W!X 1 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=98d1ae68-c539-4f64-9b9e-48617a6e032b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 1 ]Ɋ& Y!X 1 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=98d1ae68-c539-4f64-9b9e-48617a6e032b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tch **X 1 ]Ɋ& ! 1 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=98d1ae68-c539-4f64-9b9e-48617a6e032b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=df66941a-6e2f-44d2-b319-f6b0399029a3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ab98X**` 1 ]Ɋ& ! 1 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=98d1ae68-c539-4f64-9b9e-48617a6e032b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=df66941a-6e2f-44d2-b319-f6b0399029a3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l `**  1 ]Ɋ& w !X 1 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=19920ef4-a897-4c09-b730-3d181220851c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l **8 1 ]Ɋ&  !X 1 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=19920ef4-a897-4c09-b730-3d181220851c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i8**8 1 ]Ɋ&  !X 1 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=19920ef4-a897-4c09-b730-3d181220851c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) {8**0 1 ]Ɋ&  !X 1 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=19920ef4-a897-4c09-b730-3d181220851c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0 1 ]Ɋ&  !X 1 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=19920ef4-a897-4c09-b730-3d181220851c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=man0**0 1 ]Ɋ&  !X 1 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=19920ef4-a897-4c09-b730-3d181220851c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=00** 1 ]Ɋ&  ! 1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=19920ef4-a897-4c09-b730-3d181220851c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=acbb05ac-aba6-493b-8052-70b09b27fdc7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**1 ]Ɋ&  !1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=19920ef4-a897-4c09-b730-3d181220851c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=acbb05ac-aba6-493b-8052-70b09b27fdc7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=&** 1 ]Ɋ&  !X1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=bff94b72-87cf-4a67-aacb-3318e582079e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_ ** 1 ]Ɋ&  !X1 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=bff94b72-87cf-4a67-aacb-3318e582079e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** 1 ]Ɋ&  !X1 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=bff94b72-87cf-4a67-aacb-3318e582079e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=C ** 1 ]Ɋ&  !X1 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=bff94b72-87cf-4a67-aacb-3318e582079e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=jec ** 1 ]Ɋ&  !X1 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=bff94b72-87cf-4a67-aacb-3318e582079e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ada ** 1 ]Ɋ&  !X1 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=bff94b72-87cf-4a67-aacb-3318e582079e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-N ** 1 ]Ɋ& e !1 F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=bff94b72-87cf-4a67-aacb-3318e582079e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=3f7b3a4d-0fac-4dd0-be2f-104381d9a0e3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}  **X6+1 ]Ɋ&  !X6+1 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f4763409-acbf-43de-b387-3cecbecf9f23 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=elX**p 6+1 ]Ɋ&  !X6+1  F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f4763409-acbf-43de-b387-3cecbecf9f23 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p ]Ɋ&  X6+1  F& dTX*/Q F&ath= CommandLine=`F&ndLine=hS5ElfChnk  *Nk+<Mu=VysMc&&**p 6+1 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! Q!X6+1  F&F%g>9{p(xlMD EventDatauoData !Binary FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f4763409-acbf-43de-b387-3cecbecf9f23 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.p**h 6+1 ]Ɋ&  !X6+1  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f4763409-acbf-43de-b387-3cecbecf9f23 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=movah**h 6+1 ]Ɋ&  !X6+1  F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f4763409-acbf-43de-b387-3cecbecf9f23 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lecth**h 6+1 ]Ɋ&  !X6+1  F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f4763409-acbf-43de-b387-3cecbecf9f23 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**6+1 ]Ɋ&  !6+1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f4763409-acbf-43de-b387-3cecbecf9f23 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=8e8b34d9-90c5-4c7f-9235-076cfd4d807c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ss **6+1 ]Ɋ& !6+1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f4763409-acbf-43de-b387-3cecbecf9f23 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=8e8b34d9-90c5-4c7f-9235-076cfd4d807c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 6+1 ]Ɋ& q !6+1 F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=bff94b72-87cf-4a67-aacb-3318e582079e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=3f7b3a4d-0fac-4dd0-be2f-104381d9a0e3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=entl **X6+1 ]Ɋ&  !X6+1 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=48aacb3c-e258-49df-a701-62a666747c51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$rX**p6+1 ]Ɋ&  !X6+1 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=48aacb3c-e258-49df-a701-62a666747c51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tip**p6+1 ]Ɋ&  !X6+1 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=48aacb3c-e258-49df-a701-62a666747c51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=etRop**h6+1 ]Ɋ&  !X6+1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=48aacb3c-e258-49df-a701-62a666747c51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$adah**h6+1 ]Ɋ&  !X6+1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=48aacb3c-e258-49df-a701-62a666747c51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ers"h**h6+1 ]Ɋ&  !X6+1 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=48aacb3c-e258-49df-a701-62a666747c51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine='Uph**6+1 ]Ɋ&  !6+1 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=48aacb3c-e258-49df-a701-62a666747c51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=f0ce07c6-417d-447b-bdf3-6d2c4d817872 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=utp**6+1 ]Ɋ& !6+1 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=48aacb3c-e258-49df-a701-62a666747c51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=f0ce07c6-417d-447b-bdf3-6d2c4d817872 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **6+1 ]Ɋ& 7!X6+1 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=38d7ff9d-12a4-45fc-9436-bc16c61113d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**6+1 ]Ɋ& O!X6+1 F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=38d7ff9d-12a4-45fc-9436-bc16c61113d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **6+1 ]Ɋ& K!X6+1 F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=38d7ff9d-12a4-45fc-9436-bc16c61113d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_**6+1 ]Ɋ& C!X6+1 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=38d7ff9d-12a4-45fc-9436-bc16c61113d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Act**6+1 ]Ɋ& C!X6+1 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=38d7ff9d-12a4-45fc-9436-bc16c61113d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=' }**6+1 ]Ɋ& E!X6+1 F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=38d7ff9d-12a4-45fc-9436-bc16c61113d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X ]Ɋ& 6+1 F& F&ath= CommandLine=`F&ndLine=hS5ElfChnk;;HVmh:Mu=VysMc&&**H 6+1 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! %!6+1 F&F%g>9{p(xlMD EventDatauoData !BinaryrAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=38d7ff9d-12a4-45fc-9436-bc16c61113d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=c26cb18b-fc8c-45bd-a726-46fbe241d5e3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SubH **P þ1 ]Ɋ& !þ1  F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=38d7ff9d-12a4-45fc-9436-bc16c61113d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=c26cb18b-fc8c-45bd-a726-46fbe241d5e3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iteP**H!N8M2 ]Ɋ& !XN8M2! F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e7eb929e-c31a-46ad-b62d-9975d444eb31 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PH**`"N8M2 ]Ɋ& !XN8M2" F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e7eb929e-c31a-46ad-b62d-9975d444eb31 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`**`#N8M2 ]Ɋ& !XN8M2# F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e7eb929e-c31a-46ad-b62d-9975d444eb31 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=han`**X$N8M2 ]Ɋ& !XN8M2$ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e7eb929e-c31a-46ad-b62d-9975d444eb31 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ewPX**X%N8M2 ]Ɋ& !XN8M2% F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e7eb929e-c31a-46ad-b62d-9975d444eb31 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**X&N8M2 ]Ɋ& !XN8M2& F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e7eb929e-c31a-46ad-b62d-9975d444eb31 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SyX**'N8M2 ]Ɋ& !N8M2' F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e7eb929e-c31a-46ad-b62d-9975d444eb31 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=de6e1bab-e9a0-410f-b320-8dc7bf4d1832 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**( h2 ]Ɋ&  ! h2( F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e7eb929e-c31a-46ad-b62d-9975d444eb31 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=de6e1bab-e9a0-410f-b320-8dc7bf4d1832 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Out**)1o2 ]Ɋ& K!X1o2) F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=51888777-bcaf-4027-9c95-5f0f3c63b4a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nce***1o2 ]Ɋ& c!X1o2* F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=51888777-bcaf-4027-9c95-5f0f3c63b4a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.ex**+1o2 ]Ɋ& _!X1o2+ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=51888777-bcaf-4027-9c95-5f0f3c63b4a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r**,1o2 ]Ɋ& W!X1o2, F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=51888777-bcaf-4027-9c95-5f0f3c63b4a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **-1o2 ]Ɋ& W!X1o2- F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=51888777-bcaf-4027-9c95-5f0f3c63b4a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f**.1o2 ]Ɋ& Y!X1o2. F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=51888777-bcaf-4027-9c95-5f0f3c63b4a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X/1o2 ]Ɋ& !1o2/ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=51888777-bcaf-4027-9c95-5f0f3c63b4a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=96b21a6a-2e69-4c06-8a3f-cf1957bdee04 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bjecX**`01o2 ]Ɋ& !1o20 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=51888777-bcaf-4027-9c95-5f0f3c63b4a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=96b21a6a-2e69-4c06-8a3f-cf1957bdee04 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=`** 11o2 ]Ɋ& w !X1o21 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0583e619-762d-4c89-896d-93899909367d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== **821o2 ]Ɋ&  !X1o22 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0583e619-762d-4c89-896d-93899909367d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==8**831o2 ]Ɋ&  !X1o23 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0583e619-762d-4c89-896d-93899909367d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**041o2 ]Ɋ&  !X1o24 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0583e619-762d-4c89-896d-93899909367d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=R:$0**051o2 ]Ɋ&  !X1o25 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0583e619-762d-4c89-896d-93899909367d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tch0**061o2 ]Ɋ&  !X1o26 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0583e619-762d-4c89-896d-93899909367d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$e0**71o2 ]Ɋ&  !1o27 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0583e619-762d-4c89-896d-93899909367d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=0756a8ab-cfa7-4907-942a-5ad27e8055c9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= '**8go2 ]Ɋ&  !go28 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=0583e619-762d-4c89-896d-93899909367d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=0756a8ab-cfa7-4907-942a-5ad27e8055c9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e-Ou** 9go2 ]Ɋ&  !Xgo29 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=43cc565e-32fe-478d-b303-33dd6ad97c9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t ** :go2 ]Ɋ&  !Xgo2: F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=43cc565e-32fe-478d-b303-33dd6ad97c9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m ** ;go2 ]Ɋ&  !Xgo2; F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=43cc565e-32fe-478d-b303-33dd6ad97c9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eac ble' -and $_ ]Ɋ&  !Xgo2< F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=43cc565e-32fe-478d-b303-33dd6ad97c9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnk<\<\pls:l4Mu=VysMc&&** <go2 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !Xgo2< F&F%g>9{p(xlMD EventDatauoData !BinaryFunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=43cc565e-32fe-478d-b303-33dd6ad97c9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** =go2 ]Ɋ&  !Xgo2= F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=43cc565e-32fe-478d-b303-33dd6ad97c9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Pro ** >go2 ]Ɋ&  !Xgo2> F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=43cc565e-32fe-478d-b303-33dd6ad97c9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** ?go2 ]Ɋ& e !go2? F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=43cc565e-32fe-478d-b303-33dd6ad97c9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=27676a9e-29a7-4d68-ac51-67acaddc3d34 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** @bp2 ]Ɋ& q !bp2@ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=43cc565e-32fe-478d-b303-33dd6ad97c9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=27676a9e-29a7-4d68-ac51-67acaddc3d34 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r=1 **Abp2 ]Ɋ& 7!Xbp2A F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=aa1ed74b-8da7-4616-a90b-8d358220374d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**Bbp2 ]Ɋ& O!Xbp2B F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=aa1ed74b-8da7-4616-a90b-8d358220374d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**Cbp2 ]Ɋ& K!Xbp2C F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=aa1ed74b-8da7-4616-a90b-8d358220374d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ovi**Dbp2 ]Ɋ& C!Xbp2D F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=aa1ed74b-8da7-4616-a90b-8d358220374d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **Ebp2 ]Ɋ& C!Xbp2E F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=aa1ed74b-8da7-4616-a90b-8d358220374d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Var**Fbp2 ]Ɋ& E!Xbp2F F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=aa1ed74b-8da7-4616-a90b-8d358220374d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ng**@Gbp2 ]Ɋ& !bp2G F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=aa1ed74b-8da7-4616-a90b-8d358220374d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=d7863de6-2ad0-4d59-898b-4eba2e0669cc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Av@**PHp2 ]Ɋ& !p2H F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=aa1ed74b-8da7-4616-a90b-8d358220374d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=d7863de6-2ad0-4d59-898b-4eba2e0669cc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=AlP**HI3 ]Ɋ& !X3I F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d6b465c4-6d19-4b85-9a45-962b8d40fd14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lH**`J3 ]Ɋ& !X3J F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d6b465c4-6d19-4b85-9a45-962b8d40fd14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n`**`K3 ]Ɋ& !X3K F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d6b465c4-6d19-4b85-9a45-962b8d40fd14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ipt`**XL3 ]Ɋ& !X3L F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d6b465c4-6d19-4b85-9a45-962b8d40fd14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=outX**XM3 ]Ɋ& !X3M F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d6b465c4-6d19-4b85-9a45-962b8d40fd14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd X**XN3 ]Ɋ& !X3N F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d6b465c4-6d19-4b85-9a45-962b8d40fd14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $X**O3 ]Ɋ& !3O F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d6b465c4-6d19-4b85-9a45-962b8d40fd14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=8cd0e817-447f-4557-b492-93865254593a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p'**Pe3 ]Ɋ&  !e3P F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d6b465c4-6d19-4b85-9a45-962b8d40fd14 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=8cd0e817-447f-4557-b492-93865254593a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eak **Q."3 ]Ɋ& K!X."3Q F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0e38d761-6e10-4764-9090-ee4498b54dae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **R."3 ]Ɋ& c!X."3R F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0e38d761-6e10-4764-9090-ee4498b54dae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **S."3 ]Ɋ& _!X."3S F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0e38d761-6e10-4764-9090-ee4498b54dae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=O**T."3 ]Ɋ& W!X."3T F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0e38d761-6e10-4764-9090-ee4498b54dae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **U."3 ]Ɋ& W!X."3U F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0e38d761-6e10-4764-9090-ee4498b54dae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**V."3 ]Ɋ& Y!X."3V F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0e38d761-6e10-4764-9090-ee4498b54dae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uenc**XW."3 ]Ɋ& !."3W F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0e38d761-6e10-4764-9090-ee4498b54dae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=9ecbf0d2-9cd5-4fe3-aad5-a30d6e19fce2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ss X**`X."3 ]Ɋ& !."3X F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0e38d761-6e10-4764-9090-ee4498b54dae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=9ecbf0d2-9cd5-4fe3-aad5-a30d6e19fce2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=an`** Y."3 ]Ɋ& w !X."3Y F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2f258098-6d11-4f37-b01b-e14571de45a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o **8Z."3 ]Ɋ&  !X."3Z F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2f258098-6d11-4f37-b01b-e14571de45a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=28**8[."3 ]Ɋ&  !X."3[ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2f258098-6d11-4f37-b01b-e14571de45a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$do8**0\."3 ]Ɋ&  !X."3\ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2f258098-6d11-4f37-b01b-e14571de45a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=To-0on -Compress ]Ɋ& ],X."3] F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eac ble' -and $_ ]Ɋ&  !Xgo2< F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=43cc565e-32fe-478d-b303-33dd6ad97c9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnk]y]y`X SMu=VysMc&&**0]."3 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X."3] F&F%g>9{p(xlMD EventDatauoData !Binary` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2f258098-6d11-4f37-b01b-e14571de45a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0^."3 ]Ɋ&  !X."3^ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2f258098-6d11-4f37-b01b-e14571de45a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rs0**_."3 ]Ɋ&  !."3_ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2f258098-6d11-4f37-b01b-e14571de45a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=fde0bb8e-ef3b-4fa8-bba6-de12b62cbc37 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$d**`Ś"3 ]Ɋ&  !Ś"3` F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=2f258098-6d11-4f37-b01b-e14571de45a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=fde0bb8e-ef3b-4fa8-bba6-de12b62cbc37 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8d35** aŚ"3 ]Ɋ&  !XŚ"3a F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2ff4f792-95fe-4631-8641-28897ab765f9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m ** bŚ"3 ]Ɋ&  !XŚ"3b F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2ff4f792-95fe-4631-8641-28897ab765f9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** cŚ"3 ]Ɋ&  !XŚ"3c F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2ff4f792-95fe-4631-8641-28897ab765f9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ole ** dŚ"3 ]Ɋ&  !XŚ"3d F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2ff4f792-95fe-4631-8641-28897ab765f9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rsi ** eŚ"3 ]Ɋ&  !XŚ"3e F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2ff4f792-95fe-4631-8641-28897ab765f9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mma ** fŚ"3 ]Ɋ&  !XŚ"3f F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2ff4f792-95fe-4631-8641-28897ab765f9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ov ** gŚ"3 ]Ɋ& e !Ś"3g F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2ff4f792-95fe-4631-8641-28897ab765f9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=e4c20e99-0c96-4488-9946-52beadb34245 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==p ** h[3#3 ]Ɋ& q ![3#3h F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2ff4f792-95fe-4631-8641-28897ab765f9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=e4c20e99-0c96-4488-9946-52beadb34245 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2_Lo **i[3#3 ]Ɋ& 7!X[3#3i F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=99477937-396f-4225-98e2-e16277253939 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=W**j[3#3 ]Ɋ& O!X[3#3j F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=99477937-396f-4225-98e2-e16277253939 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m**k[3#3 ]Ɋ& K!X[3#3k F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=99477937-396f-4225-98e2-e16277253939 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s -**l[3#3 ]Ɋ& C!X[3#3l F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=99477937-396f-4225-98e2-e16277253939 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cy **m[3#3 ]Ɋ& C!X[3#3m F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=99477937-396f-4225-98e2-e16277253939 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uti**n[3#3 ]Ɋ& E!X[3#3n F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=99477937-396f-4225-98e2-e16277253939 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ac**@o[3#3 ]Ɋ& ![3#3o F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=99477937-396f-4225-98e2-e16277253939 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=7ce5ca67-9f16-4587-bef7-34c5927c30ad PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oP@**Pp#3 ]Ɋ& !#3p F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=99477937-396f-4225-98e2-e16277253939 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=7ce5ca67-9f16-4587-bef7-34c5927c30ad PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fileP**Hq ٲ3 ]Ɋ& !X ٲ3q F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=82738c28-ba10-4f93-beee-9b55d6ca0dc5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pH**`r ٲ3 ]Ɋ& !X ٲ3r F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=82738c28-ba10-4f93-beee-9b55d6ca0dc5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`s ٲ3 ]Ɋ& !X ٲ3s F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=82738c28-ba10-4f93-beee-9b55d6ca0dc5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d `**Xt ٲ3 ]Ɋ& !X ٲ3t F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=82738c28-ba10-4f93-beee-9b55d6ca0dc5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**Xu ٲ3 ]Ɋ& !X ٲ3u F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=82738c28-ba10-4f93-beee-9b55d6ca0dc5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=WinX**Xv ٲ3 ]Ɋ& !X ٲ3v F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=82738c28-ba10-4f93-beee-9b55d6ca0dc5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=&X**w ٲ3 ]Ɋ& ! ٲ3w F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=82738c28-ba10-4f93-beee-9b55d6ca0dc5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=d795b7bc-dd8f-4893-9ffa-57777461870a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-C**Xx3 ]Ɋ&  !X3x F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=53d3e741-f016-4413-8557-9a636384b5f8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=teX**py3 ]Ɋ&  !X3y F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=53d3e741-f016-4413-8557-9a636384b5f8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sepers = @()  ]Ɋ& apX3z F&DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnkzz`<+bMu=VysMc&&**pz3 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! Q!X3z F&F%g>9{p(xlMD EventDatauoData !Binary FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=53d3e741-f016-4413-8557-9a636384b5f8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h{3 ]Ɋ&  !X3{ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=53d3e741-f016-4413-8557-9a636384b5f8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h|3 ]Ɋ&  !X3| F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=53d3e741-f016-4413-8557-9a636384b5f8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h}3 ]Ɋ&  !X3} F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=53d3e741-f016-4413-8557-9a636384b5f8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**~3 ]Ɋ&  !3~ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=53d3e741-f016-4413-8557-9a636384b5f8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=9a0a0649-5475-43b2-86a0-6e42d341ce98 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ **3 ]Ɋ& !3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=53d3e741-f016-4413-8557-9a636384b5f8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=9a0a0649-5475-43b2-86a0-6e42d341ce98 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X3 ]Ɋ&  !X3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1ada6a90-51b5-453e-b9a0-9c59010dd5b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fiX**p3 ]Ɋ&  !X3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1ada6a90-51b5-453e-b9a0-9c59010dd5b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**p3 ]Ɋ&  !X3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1ada6a90-51b5-453e-b9a0-9c59010dd5b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=DnsCp**h3 ]Ɋ&  !X3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1ada6a90-51b5-453e-b9a0-9c59010dd5b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ionPh**h3 ]Ɋ&  !X3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1ada6a90-51b5-453e-b9a0-9c59010dd5b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== h**h3 ]Ɋ&  !X3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1ada6a90-51b5-453e-b9a0-9c59010dd5b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 h**3 ]Ɋ&  !3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1ada6a90-51b5-453e-b9a0-9c59010dd5b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=0430969a-d9c4-4c56-9239-8e83e97932be PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ipt**3 ]Ɋ& !3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1ada6a90-51b5-453e-b9a0-9c59010dd5b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=0430969a-d9c4-4c56-9239-8e83e97932be PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=q** Qz3 ]Ɋ& w !XQz3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6e26ab9a-64c1-458d-81ad-422bff83f6a9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H **8Qz3 ]Ɋ&  !XQz3 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6e26ab9a-64c1-458d-81ad-422bff83f6a9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=18**8Qz3 ]Ɋ&  !XQz3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6e26ab9a-64c1-458d-81ad-422bff83f6a9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ver8+= $dnsConfi ]Ɋ& n XQz3 F&omputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnkvVZMu=VysMc&&**0Qz3 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XQz3 F&F%g>9{p(xlMD EventDatauoData !Binary` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6e26ab9a-64c1-458d-81ad-422bff83f6a9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0Qz3 ]Ɋ&  !XQz3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6e26ab9a-64c1-458d-81ad-422bff83f6a9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omm0**0Qz3 ]Ɋ&  !XQz3 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6e26ab9a-64c1-458d-81ad-422bff83f6a9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=el0**Qz3 ]Ɋ&  !Qz3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6e26ab9a-64c1-458d-81ad-422bff83f6a9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b0516dc5-b4fa-4a1c-b26d-07eefc618d64 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Co**3 ]Ɋ&  !3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=6e26ab9a-64c1-458d-81ad-422bff83f6a9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b0516dc5-b4fa-4a1c-b26d-07eefc618d64 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1ce9**3 ]Ɋ&  !X3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e369b5e0-3c67-4dd4-b226-78bf79cf9650 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-43b**3 ]Ɋ&  !X3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e369b5e0-3c67-4dd4-b226-78bf79cf9650 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me= **3 ]Ɋ& !X3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e369b5e0-3c67-4dd4-b226-78bf79cf9650 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C**3 ]Ɋ&  !X3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e369b5e0-3c67-4dd4-b226-78bf79cf9650 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**3 ]Ɋ&  !X3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e369b5e0-3c67-4dd4-b226-78bf79cf9650 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**3 ]Ɋ&  !X3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e369b5e0-3c67-4dd4-b226-78bf79cf9650 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**3 ]Ɋ& O!3 F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e369b5e0-3c67-4dd4-b226-78bf79cf9650 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=88a35113-011c-43b2-96bd-e052203b511b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**~3 ]Ɋ& [!~3 F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e369b5e0-3c67-4dd4-b226-78bf79cf9650 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=88a35113-011c-43b2-96bd-e052203b511b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le **`2p3 ]Ɋ& !X2p3 F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=04402985-1288-4e99-98dc-b805fff062fa HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-qbbufwdd.30k.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tif`**x2p3 ]Ɋ& !X2p3 F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=04402985-1288-4e99-98dc-b805fff062fa HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-qbbufwdd.30k.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=icax**p2p3 ]Ɋ& !X2p3 F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=04402985-1288-4e99-98dc-b805fff062fa HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-qbbufwdd.30k.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Cp**h2p3 ]Ɋ& !X2p3 F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=04402985-1288-4e99-98dc-b805fff062fa HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-qbbufwdd.30k.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eh**h2p3 ]Ɋ& !X2p3 F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=04402985-1288-4e99-98dc-b805fff062fa HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-qbbufwdd.30k.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ih**p2p3 ]Ɋ& !X2p3 F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=04402985-1288-4e99-98dc-b805fff062fa HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-qbbufwdd.30k.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $map**2p3 ]Ɋ& !2p3 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=04402985-1288-4e99-98dc-b805fff062fa HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-qbbufwdd.30k.ps1 EngineVersion=4.0 RunspaceId=7775f3cb-9661-4f4d-93be-bf007d89c39f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tlyC**2p3 ]Ɋ& !2p3 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=04402985-1288-4e99-98dc-b805fff062fa HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-qbbufwdd.30k.ps1 EngineVersion=4.0 RunspaceId=7775f3cb-9661-4f4d-93be-bf007d89c39f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 2p3 ]Ɋ& w !X2p3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=dd2ccec3-81ad-4f42-93e0-0e58b40d4b32 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  }  ]Ɋ&  }X2p3 F& if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ver8+= $dnsConfi ]Ɋ& n XQz3 F&omputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnkp] (Mu=VysMc&&**@2p3 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X2p3 F&F%g>9{p(xlMD EventDatauoData !Binaryl EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=dd2ccec3-81ad-4f42-93e0-0e58b40d4b32 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@**82p3 ]Ɋ&  !X2p3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=dd2ccec3-81ad-4f42-93e0-0e58b40d4b32 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Qz8**02p3 ]Ɋ&  !X2p3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=dd2ccec3-81ad-4f42-93e0-0e58b40d4b32 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Qz0**02p3 ]Ɋ&  !X2p3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=dd2ccec3-81ad-4f42-93e0-0e58b40d4b32 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mma0**02p3 ]Ɋ&  !X2p3 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=dd2ccec3-81ad-4f42-93e0-0e58b40d4b32 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=om0**2p3 ]Ɋ&  !2p3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=dd2ccec3-81ad-4f42-93e0-0e58b40d4b32 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b33e86f5-65d5-40bb-b4f9-8a81b60fe938 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P**3 ]Ɋ&  !3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=dd2ccec3-81ad-4f42-93e0-0e58b40d4b32 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b33e86f5-65d5-40bb-b4f9-8a81b60fe938 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rsio** 3 ]Ɋ&  !X3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=77ba9b01-2a95-43ae-aed7-c61e0b7550aa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=St ** 3 ]Ɋ&  !X3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=77ba9b01-2a95-43ae-aed7-c61e0b7550aa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= s ** 3 ]Ɋ&  !X3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=77ba9b01-2a95-43ae-aed7-c61e0b7550aa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=es - ** 3 ]Ɋ&  !X3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=77ba9b01-2a95-43ae-aed7-c61e0b7550aa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H ** 3 ]Ɋ&  !X3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=77ba9b01-2a95-43ae-aed7-c61e0b7550aa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rovi ** 3 ]Ɋ&  !X3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=77ba9b01-2a95-43ae-aed7-c61e0b7550aa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 3 ]Ɋ& ; !3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=77ba9b01-2a95-43ae-aed7-c61e0b7550aa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=5f0f5798-426a-45ce-8eec-cc0979c895a8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nfi **3 ]Ɋ&  !3 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=82738c28-ba10-4f93-beee-9b55d6ca0dc5 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=d795b7bc-dd8f-4893-9ffa-57777461870a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ngTr** _3 ]Ɋ& G !_3 F&$ StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=77ba9b01-2a95-43ae-aed7-c61e0b7550aa HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=5f0f5798-426a-45ce-8eec-cc0979c895a8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o **X3 ]Ɋ&  !X3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=270c0d78-47ab-458a-ad17-f5df9a16ae89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SX**p3 ]Ɋ&  !X3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=270c0d78-47ab-458a-ad17-f5df9a16ae89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uep**p3 ]Ɋ&  !X3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=270c0d78-47ab-458a-ad17-f5df9a16ae89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_NetprkAdapterCon ]Ɋ& _.X3 F&ddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ver8+= $dnsConfi ]Ɋ& n XQz3 F&omputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnkU<Mu=VysMc&&**h3 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!X3 F&F%g>9{p(xlMD EventDatauoData !Binary FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=270c0d78-47ab-458a-ad17-f5df9a16ae89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=&h**h3 ]Ɋ&  !X3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=270c0d78-47ab-458a-ad17-f5df9a16ae89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h3 ]Ɋ&  !X3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=270c0d78-47ab-458a-ad17-f5df9a16ae89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2h**3 ]Ɋ&  !3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=270c0d78-47ab-458a-ad17-f5df9a16ae89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=842f6486-b5ad-4cd3-abfa-113fdbae9bbe PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **3 ]Ɋ& !3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=270c0d78-47ab-458a-ad17-f5df9a16ae89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=842f6486-b5ad-4cd3-abfa-113fdbae9bbe PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t** 3 ]Ɋ& w !X3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e2047157-fb10-4246-a77a-ed5061152aa4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=v **83 ]Ɋ&  !X3 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e2047157-fb10-4246-a77a-ed5061152aa4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**83 ]Ɋ&  !X3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e2047157-fb10-4246-a77a-ed5061152aa4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ing8**03 ]Ɋ&  !X3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e2047157-fb10-4246-a77a-ed5061152aa4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $t0**03 ]Ɋ&  !X3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e2047157-fb10-4246-a77a-ed5061152aa4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== N0**03 ]Ɋ&  !X3 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e2047157-fb10-4246-a77a-ed5061152aa4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=om0**#k3 ]Ɋ&  !#k3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e2047157-fb10-4246-a77a-ed5061152aa4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c2d6650a-82d4-443e-95a6-e396eb38afb3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ex**#k3 ]Ɋ&  !#k3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=e2047157-fb10-4246-a77a-ed5061152aa4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c2d6650a-82d4-443e-95a6-e396eb38afb3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3**XN3 ]Ɋ&  !XN3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ca7f0201-6977-4364-b626-9de178f9a35c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ncX**pN3 ]Ɋ&  !XN3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ca7f0201-6977-4364-b626-9de178f9a35c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ncp**pN3 ]Ɋ&  !XN3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ca7f0201-6977-4364-b626-9de178f9a35c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nce p**hN3 ]Ɋ&  !XN3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ca7f0201-6977-4364-b626-9de178f9a35c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f ($hc) { $mac }  ]Ɋ&  CXN3 F&ScriptName= CommandPath= CommandLine=ver8+= $dnsConfi ]Ɋ& n XQz3 F&omputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnk %ԝܤ\Mu=VysMc&&**hN3 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!XN3 F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ca7f0201-6977-4364-b626-9de178f9a35c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=&h**hN3 ]Ɋ&  !XN3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ca7f0201-6977-4364-b626-9de178f9a35c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**N3 ]Ɋ&  !N3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ca7f0201-6977-4364-b626-9de178f9a35c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=3cccd85a-ca57-4e88-a304-8d64d92067d9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**N3 ]Ɋ& !N3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ca7f0201-6977-4364-b626-9de178f9a35c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=3cccd85a-ca57-4e88-a304-8d64d92067d9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**Xz3 ]Ɋ&  !Xz3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5240285b-5df8-4dc7-964a-78af43d8b002 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=LiX**pz3 ]Ɋ&  !Xz3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5240285b-5df8-4dc7-964a-78af43d8b002 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**pz3 ]Ɋ&  !Xz3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5240285b-5df8-4dc7-964a-78af43d8b002 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**hz3 ]Ɋ&  !Xz3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5240285b-5df8-4dc7-964a-78af43d8b002 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**hz3 ]Ɋ&  !Xz3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5240285b-5df8-4dc7-964a-78af43d8b002 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tarth**hz3 ]Ɋ&  !Xz3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5240285b-5df8-4dc7-964a-78af43d8b002 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**z3 ]Ɋ&  !z3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5240285b-5df8-4dc7-964a-78af43d8b002 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=08e6c618-921f-434f-89cc-2e8d44d84a5d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ole**z3 ]Ɋ& !z3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5240285b-5df8-4dc7-964a-78af43d8b002 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=08e6c618-921f-434f-89cc-2e8d44d84a5d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H** 3 ]Ɋ& w !X3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4cd5c0ea-90c2-40a6-9c33-f80b5ba8cbb1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **83 ]Ɋ&  !X3 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4cd5c0ea-90c2-40a6-9c33-f80b5ba8cbb1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t8**83 ]Ɋ&  !X3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4cd5c0ea-90c2-40a6-9c33-f80b5ba8cbb1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ste8**03 ]Ɋ&  !X3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4cd5c0ea-90c2-40a6-9c33-f80b5ba8cbb1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nS0**03 ]Ɋ&  !X3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4cd5c0ea-90c2-40a6-9c33-f80b5ba8cbb1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 F&Sc ]Ɋ& +X3 F& n XQz3 F&omputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnkrMu=VysMc&&**83 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X3 F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4cd5c0ea-90c2-40a6-9c33-f80b5ba8cbb1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndP8**3 ]Ɋ&  !3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4cd5c0ea-90c2-40a6-9c33-f80b5ba8cbb1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=6ecd40e0-224f-465d-ab4c-5b3ae4e741f9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd**B3 ]Ɋ&  !B3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=4cd5c0ea-90c2-40a6-9c33-f80b5ba8cbb1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=6ecd40e0-224f-465d-ab4c-5b3ae4e741f9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Co**B3 ]Ɋ&  !XB3 F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4c998b64-85ae-45cb-9458-16ccb2fe5bc8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pe= **B3 ]Ɋ&  !XB3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4c998b64-85ae-45cb-9458-16ccb2fe5bc8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Li**B3 ]Ɋ& !XB3 F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4c998b64-85ae-45cb-9458-16ccb2fe5bc8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**B3 ]Ɋ&  !XB3 F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4c998b64-85ae-45cb-9458-16ccb2fe5bc8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**B3 ]Ɋ&  !XB3 F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4c998b64-85ae-45cb-9458-16ccb2fe5bc8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**B3 ]Ɋ&  !XB3 F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4c998b64-85ae-45cb-9458-16ccb2fe5bc8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r**B3 ]Ɋ& O!B3 F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4c998b64-85ae-45cb-9458-16ccb2fe5bc8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=715463cf-3565-40d0-b603-0fce5057b569 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**B3 ]Ɋ& [!B3 F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4c998b64-85ae-45cb-9458-16ccb2fe5bc8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=715463cf-3565-40d0-b603-0fce5057b569 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4.0**8 [3 ]Ɋ&  !X[3 F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5d1e950c-e230-42f5-8a7b-d2354e05739d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8 **P [3 ]Ɋ&  !X[3 F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5d1e950c-e230-42f5-8a7b-d2354e05739d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=P **P [3 ]Ɋ&  !X[3 F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5d1e950c-e230-42f5-8a7b-d2354e05739d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ddreP **H [3 ]Ɋ&  !X[3 F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5d1e950c-e230-42f5-8a7b-d2354e05739d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PEnaH **H [3 ]Ɋ&  !X[3 F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5d1e950c-e230-42f5-8a7b-d2354e05739d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=jectH **H [3 ]Ɋ&  !X[3 F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5d1e950c-e230-42f5-8a7b-d2354e05739d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NetH rkAdapterCon ]Ɋ& _.[3 F&ddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 F&Sc ]Ɋ& +X3 F& n XQz3 F&omputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnkFMu=VysMc&&**[3 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! { ![3 F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5d1e950c-e230-42f5-8a7b-d2354e05739d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=97af7e0d-1304-4901-8a63-13ae73a6e3b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** [3 ]Ɋ&  ![3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5d1e950c-e230-42f5-8a7b-d2354e05739d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=97af7e0d-1304-4901-8a63-13ae73a6e3b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r ** [3 ]Ɋ& w !X[3 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=26fe1bb3-813c-4b8a-b726-906f7f192cbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c **8[3 ]Ɋ&  !X[3 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=26fe1bb3-813c-4b8a-b726-906f7f192cbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8[3 ]Ɋ&  !X[3 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=26fe1bb3-813c-4b8a-b726-906f7f192cbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r) 8**0[3 ]Ɋ&  !X[3 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=26fe1bb3-813c-4b8a-b726-906f7f192cbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y =0**0[3 ]Ɋ&  !X[3 F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=26fe1bb3-813c-4b8a-b726-906f7f192cbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=es 0**0[3 ]Ɋ&  !X[3 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=26fe1bb3-813c-4b8a-b726-906f7f192cbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r 0**[3 ]Ɋ&  ![3 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=26fe1bb3-813c-4b8a-b726-906f7f192cbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=62d223ff-c99e-47af-accd-7f01f811bb62 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er**3 ]Ɋ&  !3 F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=26fe1bb3-813c-4b8a-b726-906f7f192cbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=62d223ff-c99e-47af-accd-7f01f811bb62 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t $h**3 ]Ɋ& K!X3 F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5029c41b-4ccb-47c7-8671-85cd11752668 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pr**3 ]Ɋ& c!X3 F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5029c41b-4ccb-47c7-8671-85cd11752668 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } **3 ]Ɋ& _!X3 F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5029c41b-4ccb-47c7-8671-85cd11752668 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r**3 ]Ɋ& W!X3 F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5029c41b-4ccb-47c7-8671-85cd11752668 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **3 ]Ɋ& W!X3 F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5029c41b-4ccb-47c7-8671-85cd11752668 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.**3 ]Ɋ& Y!X3 F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5029c41b-4ccb-47c7-8671-85cd11752668 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lled**X3 ]Ɋ& !3 F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5029c41b-4ccb-47c7-8671-85cd11752668 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=ee8498e4-15a9-461a-ad3a-92aafdc3a686 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**`3 ]Ɋ& !3 F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5029c41b-4ccb-47c7-8671-85cd11752668 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=ee8498e4-15a9-461a-ad3a-92aafdc3a686 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l.`** 83 ]Ɋ& w !X83 F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=14f0316a-418a-4283-bba4-73e156c223f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **883 ]Ɋ&  !X83 F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=14f0316a-418a-4283-bba4-73e156c223f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s8**883 ]Ɋ&  !X83 F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=14f0316a-418a-4283-bba4-73e156c223f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ 8**083 ]Ɋ&  !X83 F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=14f0316a-418a-4283-bba4-73e156c223f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in 0 } $r ]Ɋ& ObX83 F&= if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnk  HJR1Mu=VysMc&&**083 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X83 F&F%g>9{p(xlMD EventDatauoData !Binary` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=14f0316a-418a-4283-bba4-73e156c223f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**083 ]Ɋ&  !X83 F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=14f0316a-418a-4283-bba4-73e156c223f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ta0**83 ]Ɋ&  !83 F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=14f0316a-418a-4283-bba4-73e156c223f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d66ec6b6-af0a-44c4-9291-950aa398ca70 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 83 ]Ɋ&  !83  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=14f0316a-418a-4283-bba4-73e156c223f6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d66ec6b6-af0a-44c4-9291-950aa398ca70 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ostI**  3 ]Ɋ&  !X3  F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=24c3a50d-f315-46c2-a339-654d47cf92ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **  3 ]Ɋ&  !X3  F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=24c3a50d-f315-46c2-a339-654d47cf92ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c **  3 ]Ɋ&  !X3  F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=24c3a50d-f315-46c2-a339-654d47cf92ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Pol **  3 ]Ɋ&  !X3  F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=24c3a50d-f315-46c2-a339-654d47cf92ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **  3 ]Ɋ&  !X3  F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=24c3a50d-f315-46c2-a339-654d47cf92ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} c **  3 ]Ɋ&  !X3  F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=24c3a50d-f315-46c2-a339-654d47cf92ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=or **  3 ]Ɋ& e !3  F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=24c3a50d-f315-46c2-a339-654d47cf92ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=eb52d9e0-1b72-4dbc-a01b-3f7c0f59d7cc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cc **  3 ]Ɋ& q !3  F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=24c3a50d-f315-46c2-a339-654d47cf92ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=eb52d9e0-1b72-4dbc-a01b-3f7c0f59d7cc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-Co **X 3 ]Ɋ&  !X3  F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3f955391-efff-47af-a2bd-2e4a46375a7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s X**p 3 ]Ɋ&  !X3  F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3f955391-efff-47af-a2bd-2e4a46375a7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mmp**p 3 ]Ɋ&  !X3  F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3f955391-efff-47af-a2bd-2e4a46375a7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Hosp**h 3 ]Ɋ&  !X3  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3f955391-efff-47af-a2bd-2e4a46375a7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rrorh**h 3 ]Ɋ&  !X3  F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3f955391-efff-47af-a2bd-2e4a46375a7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nue)h**h 3 ]Ɋ&  !X3  F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3f955391-efff-47af-a2bd-2e4a46375a7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tRoh** 3 ]Ɋ&  !3  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3f955391-efff-47af-a2bd-2e4a46375a7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=95a999b5-5ed4-4a35-a5f0-cbd1c3ba4ff5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rfaMetric i ]Ɋ& ro3  F& foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in 0 } $r ]Ɋ& ObX83 F&= if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnk -  - pxiMu=VysMc&&** 3 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !3  F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=3f955391-efff-47af-a2bd-2e4a46375a7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=95a999b5-5ed4-4a35-a5f0-cbd1c3ba4ff5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** 3 ]Ɋ& 7!X3  F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=11e43ebd-efa1-42fd-b90d-543b3870dd3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l** 3 ]Ɋ& O!X3  F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=11e43ebd-efa1-42fd-b90d-543b3870dd3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1** 3 ]Ɋ& K!X3  F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=11e43ebd-efa1-42fd-b90d-543b3870dd3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.0.** 3 ]Ɋ& C!X3  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=11e43ebd-efa1-42fd-b90d-543b3870dd3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Con** 3 ]Ɋ& C!X3  F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=11e43ebd-efa1-42fd-b90d-543b3870dd3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tNa** 3 ]Ɋ& E!X3  F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=11e43ebd-efa1-42fd-b90d-543b3870dd3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **@ i3 ]Ɋ& !i3  F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=11e43ebd-efa1-42fd-b90d-543b3870dd3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=ce519694-7753-4f6b-b8e3-f8a7a1d7efb5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=98@**X i3 ]Ɋ&  !Xi3  F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4e1474d1-122a-45dd-9fc2-6a37dc655c61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= fX**p i3 ]Ɋ&  !Xi3  F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4e1474d1-122a-45dd-9fc2-6a37dc655c61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sep**p i3 ]Ɋ&  !Xi3  F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4e1474d1-122a-45dd-9fc2-6a37dc655c61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 'Upp**h i3 ]Ɋ&  !Xi3  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4e1474d1-122a-45dd-9fc2-6a37dc655c61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rtToh**h i3 ]Ɋ&  !Xi3  F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4e1474d1-122a-45dd-9fc2-6a37dc655c61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ve -h**h i3 ]Ɋ&  !Xi3  F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4e1474d1-122a-45dd-9fc2-6a37dc655c61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($sh** i3 ]Ɋ&  !i3  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4e1474d1-122a-45dd-9fc2-6a37dc655c61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=b30808ea-e38f-48ec-9767-60506fa09ea7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ign** i3 ]Ɋ& !i3  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4e1474d1-122a-45dd-9fc2-6a37dc655c61 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=b30808ea-e38f-48ec-9767-60506fa09ea7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**P i3 ]Ɋ& !i3  F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=11e43ebd-efa1-42fd-b90d-543b3870dd3b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=ce519694-7753-4f6b-b8e3-f8a7a1d7efb5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=CommP**H! l4 ]Ɋ& !Xl4!  F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=658d02fb-601f-4393-a7e3-6b97ba2019fc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iH**`" l4 ]Ɋ& !Xl4"  F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=658d02fb-601f-4393-a7e3-6b97ba2019fc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=5`**`# l4 ]Ɋ& !Xl4#  F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=658d02fb-601f-4393-a7e3-6b97ba2019fc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Ou`**X$ l4 ]Ɋ& !Xl4$  F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=658d02fb-601f-4393-a7e3-6b97ba2019fc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -X**X% l4 ]Ɋ& !Xl4%  F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=658d02fb-601f-4393-a7e3-6b97ba2019fc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=priX**X& l4 ]Ɋ& !Xl4&  F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=658d02fb-601f-4393-a7e3-6b97ba2019fc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=anX**' l4 ]Ɋ& !l4'  F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=658d02fb-601f-4393-a7e3-6b97ba2019fc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=cea4b628-1d76-4df9-8951-4f60c913cef8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r=**( פ4 ]Ɋ& K!Xפ4(  F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3ccefe93-02e0-44ca-9223-009fb005f967 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ate**) פ4 ]Ɋ& c!Xפ4)  F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3ccefe93-02e0-44ca-9223-009fb005f967 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Eng*** פ4 ]Ɋ& _!Xפ4*  F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3ccefe93-02e0-44ca-9223-009fb005f967 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=O**+ פ4 ]Ɋ& W!Xפ4+  F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3ccefe93-02e0-44ca-9223-009fb005f967 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$**, פ4 ]Ɋ& W!Xפ4,  F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3ccefe93-02e0-44ca-9223-009fb005f967 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**- פ4 ]Ɋ& Y!Xפ4-  F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3ccefe93-02e0-44ca-9223-009fb005f967 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {  # ignore  ]Ɋ& spפ4.  F&dName= CommandType= ScriptName= CommandPath= CommandLine=in 0 } $r ]Ɋ& ObX83 F&= if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnk. F . F 8xGRg;Mu=VysMc&&**X . פ4 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! 9!פ4.  F&F%g>9{p(xlMD EventDatauoData !BinaryAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3ccefe93-02e0-44ca-9223-009fb005f967 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=7397cb33-7c32-4731-b946-5b34638e6049 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tX **`/ פ4 ]Ɋ& !פ4/  F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=3ccefe93-02e0-44ca-9223-009fb005f967 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=7397cb33-7c32-4731-b946-5b34638e6049 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=U`** 0 Op4 ]Ɋ& w !XOp40  F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e14b5238-0422-43d9-8034-cc422fd535a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **81 Op4 ]Ɋ&  !XOp41  F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e14b5238-0422-43d9-8034-cc422fd535a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=I8**82 Op4 ]Ɋ&  !XOp42  F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e14b5238-0422-43d9-8034-cc422fd535a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tpu8**03 Op4 ]Ɋ&  !XOp43  F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e14b5238-0422-43d9-8034-cc422fd535a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} }0**04 Op4 ]Ɋ&  !XOp44  F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e14b5238-0422-43d9-8034-cc422fd535a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t "0**05 Op4 ]Ɋ&  !XOp45  F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e14b5238-0422-43d9-8034-cc422fd535a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**6 Op4 ]Ɋ&  !Op46  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e14b5238-0422-43d9-8034-cc422fd535a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=69b58fa9-8249-42e1-99c3-544fcd2d703f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **7 4 ]Ɋ&  !47  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=e14b5238-0422-43d9-8034-cc422fd535a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=69b58fa9-8249-42e1-99c3-544fcd2d703f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= "EK** 8 4 ]Ɋ&  !X48  F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=81966ae9-c1e0-41eb-881c-0710f7db7925 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=E ** 9 4 ]Ɋ&  !X49  F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=81966ae9-c1e0-41eb-881c-0710f7db7925 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== ** : 4 ]Ɋ&  !X4:  F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=81966ae9-c1e0-41eb-881c-0710f7db7925 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tpu ** ; 4 ]Ɋ&  !X4;  F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=81966ae9-c1e0-41eb-881c-0710f7db7925 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=age ** < 4 ]Ɋ&  !X4<  F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=81966ae9-c1e0-41eb-881c-0710f7db7925 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=etN ** = 4 ]Ɋ&  !X4=  F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=81966ae9-c1e0-41eb-881c-0710f7db7925 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tA ** > 4 ]Ɋ& e !4>  F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=81966ae9-c1e0-41eb-881c-0710f7db7925 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=e6a8022d-3cfa-44f3-9034-ebe5d30a0c7f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pa ** ? 4 ]Ɋ& q !4?  F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=81966ae9-c1e0-41eb-881c-0710f7db7925 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=e6a8022d-3cfa-44f3-9034-ebe5d30a0c7f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **@ |4 ]Ɋ& 7!X|4@  F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d2385925-321e-4c58-8aa0-f549f6173fbd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3**A |4 ]Ɋ& O!X|4A  F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d2385925-321e-4c58-8aa0-f549f6173fbd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**B |4 ]Ɋ& K!X|4B  F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d2385925-321e-4c58-8aa0-f549f6173fbd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ion**C |4 ]Ɋ& C!X|4C  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d2385925-321e-4c58-8aa0-f549f6173fbd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hos**D |4 ]Ɋ& C!X|4D  F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d2385925-321e-4c58-8aa0-f549f6173fbd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eHo**E |4 ]Ɋ& E!X|4E  F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d2385925-321e-4c58-8aa0-f549f6173fbd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=**@F |4 ]Ɋ& !|4F  F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d2385925-321e-4c58-8aa0-f549f6173fbd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=05025e88-b6f4-465f-8d3f-ef7db31f53dd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=b@83 ]Ɋ& ma|4G  F& $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnkG d G d x6 Mu=VysMc&&**P G |4 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! 1!|4G  F&F%g>9{p(xlMD EventDatauoData !Binary~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d2385925-321e-4c58-8aa0-f549f6173fbd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=05025e88-b6f4-465f-8d3f-ef7db31f53dd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P **H 4 ]Ɋ&  !4H  F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=658d02fb-601f-4393-a7e3-6b97ba2019fc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=cea4b628-1d76-4df9-8951-4f60c913cef8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sk"}**HI  =<5 ]Ɋ& !X =<5I  F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=21020849-5fec-4d05-8169-d4236e6c8c0e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xH**`J  =<5 ]Ɋ& !X =<5J  F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=21020849-5fec-4d05-8169-d4236e6c8c0e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n`**`K  =<5 ]Ɋ& !X =<5K  F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=21020849-5fec-4d05-8169-d4236e6c8c0e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s W`**XL  =<5 ]Ɋ& !X =<5L  F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=21020849-5fec-4d05-8169-d4236e6c8c0e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ostX**XM  =<5 ]Ɋ& !X =<5M  F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=21020849-5fec-4d05-8169-d4236e6c8c0e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dapX**XN  =<5 ]Ɋ& !X =<5N  F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=21020849-5fec-4d05-8169-d4236e6c8c0e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tiX**O  =<5 ]Ɋ& ! =<5O  F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=21020849-5fec-4d05-8169-d4236e6c8c0e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=6efd3230-6595-421b-9243-8bbb51100eb4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FӨ**P dC5 ]Ɋ&  !dC5P  F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=21020849-5fec-4d05-8169-d4236e6c8c0e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=6efd3230-6595-421b-9243-8bbb51100eb4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rout**Q W5 ]Ɋ& K!XW5Q  F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=53778e4a-fe18-4890-b890-1238cf50cd69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -C**R W5 ]Ɋ& c!XW5R  F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=53778e4a-fe18-4890-b890-1238cf50cd69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nul**S W5 ]Ɋ& _!XW5S  F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=53778e4a-fe18-4890-b890-1238cf50cd69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**T W5 ]Ɋ& W!XW5T  F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=53778e4a-fe18-4890-b890-1238cf50cd69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r**U W5 ]Ɋ& W!XW5U  F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=53778e4a-fe18-4890-b890-1238cf50cd69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**V W5 ]Ɋ& Y!XW5V  F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=53778e4a-fe18-4890-b890-1238cf50cd69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f ($**XW W5 ]Ɋ& !W5W  F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=53778e4a-fe18-4890-b890-1238cf50cd69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=dfe16f86-fe4c-4207-b66e-28f77dd3140a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**`X W5 ]Ɋ& !W5X  F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=53778e4a-fe18-4890-b890-1238cf50cd69 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=dfe16f86-fe4c-4207-b66e-28f77dd3140a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=at`** Y @X5 ]Ɋ& w !X@X5Y  F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2f1f0dbc-ea06-4f8a-afd3-d68c350efe5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C **8Z @X5 ]Ɋ&  !X@X5Z  F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2f1f0dbc-ea06-4f8a-afd3-d68c350efe5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8[ @X5 ]Ɋ&  !X@X5[  F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2f1f0dbc-ea06-4f8a-afd3-d68c350efe5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sta8**0\ @X5 ]Ɋ&  !X@X5\  F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2f1f0dbc-ea06-4f8a-afd3-d68c350efe5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0] @X5 ]Ɋ&  !X@X5]  F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2f1f0dbc-ea06-4f8a-afd3-d68c350efe5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0^ @X5 ]Ɋ&  !X@X5^  F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2f1f0dbc-ea06-4f8a-afd3-d68c350efe5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x 0**_ @X5 ]Ɋ&  !@X5_  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2f1f0dbc-ea06-4f8a-afd3-d68c350efe5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d7f1c590-6ae0-4adc-8b82-9d765fbcac8c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ma**` DX5 ]Ɋ&  !DX5`  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=2f1f0dbc-ea06-4f8a-afd3-d68c350efe5f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d7f1c590-6ae0-4adc-8b82-9d765fbcac8c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ess,** a DX5 ]Ɋ&  !XDX5a  F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f39e504b-61ee-4237-b823-041ab22707bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s ** b DX5 ]Ɋ&  !XDX5b  F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f39e504b-61ee-4237-b823-041ab22707bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** c DX5 ]Ɋ&  !XDX5c  F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f39e504b-61ee-4237-b823-041ab22707bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e' ** d DX5 ]Ɋ&  !XDX5d  F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f39e504b-61ee-4237-b823-041ab22707bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pre } catch { ]Ɋ& :"XDX5e  F& RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ElfChnke  e  wYMu=VysMc&&** e DX5 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !XDX5e  F&F%g>9{p(xlMD EventDatauoData !BinaryRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f39e504b-61ee-4237-b823-041ab22707bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** f DX5 ]Ɋ&  !XDX5f  F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f39e504b-61ee-4237-b823-041ab22707bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dP ** g DX5 ]Ɋ& e !DX5g  F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f39e504b-61ee-4237-b823-041ab22707bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=baba2b46-9c6f-4715-95fd-5f52abb8510d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=vi ** h DX5 ]Ɋ& q !DX5h  F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f39e504b-61ee-4237-b823-041ab22707bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=baba2b46-9c6f-4715-95fd-5f52abb8510d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oPro **i qY5 ]Ɋ& 7!XqY5i  F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=cb27662c-84e5-44d6-8a4e-e46f9a12d5d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2**j qY5 ]Ɋ& O!XqY5j  F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=cb27662c-84e5-44d6-8a4e-e46f9a12d5d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=V**k qY5 ]Ɋ& K!XqY5k  F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=cb27662c-84e5-44d6-8a4e-e46f9a12d5d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=res**l qY5 ]Ɋ& C!XqY5l  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=cb27662c-84e5-44d6-8a4e-e46f9a12d5d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tTo**m qY5 ]Ɋ& C!XqY5m  F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=cb27662c-84e5-44d6-8a4e-e46f9a12d5d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=| C**n qY5 ]Ɋ& E!XqY5n  F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=cb27662c-84e5-44d6-8a4e-e46f9a12d5d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} **@o qY5 ]Ɋ& !qY5o  F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=cb27662c-84e5-44d6-8a4e-e46f9a12d5d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=7a5c19d2-cbf8-476e-a20a-bc8e47664056 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ss@**Pp qY5 ]Ɋ& !qY5p  F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=cb27662c-84e5-44d6-8a4e-e46f9a12d5d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=7a5c19d2-cbf8-476e-a20a-bc8e47664056 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eId=P**Hq j 5 ]Ɋ& !Xj 5q  F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=19d6cfb7-4201-43b9-931e-abdc6399a624 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`r j 5 ]Ɋ& !Xj 5r  F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=19d6cfb7-4201-43b9-931e-abdc6399a624 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`s j 5 ]Ɋ& !Xj 5s  F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=19d6cfb7-4201-43b9-931e-abdc6399a624 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**Xt j 5 ]Ɋ& !Xj 5t  F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=19d6cfb7-4201-43b9-931e-abdc6399a624 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2_NX**Xu j 5 ]Ɋ& !Xj 5u  F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=19d6cfb7-4201-43b9-931e-abdc6399a624 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**Xv j 5 ]Ɋ& !Xj 5v  F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=19d6cfb7-4201-43b9-931e-abdc6399a624 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erX**w j 5 ]Ɋ& !j 5w  F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=19d6cfb7-4201-43b9-931e-abdc6399a624 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=311da077-4d77-4077-9463-b23e1b5affc7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **Xx >5 ]Ɋ&  !X>5x  F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=cd71129f-88f9-4947-9297-66eac8c350c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GeX**py >5 ]Ɋ&  !X>5y  F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=cd71129f-88f9-4947-9297-66eac8c350c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=enp**pz >5 ]Ɋ&  !X>5z  F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=cd71129f-88f9-4947-9297-66eac8c350c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Get-p**h{ >5 ]Ɋ&  !X>5{  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=cd71129f-88f9-4947-9297-66eac8c350c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Win3h**h| >5 ]Ɋ&  !X>5|  F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=cd71129f-88f9-4947-9297-66eac8c350c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ratih**h} >5 ]Ɋ&  !X>5}  F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=cd71129f-88f9-4947-9297-66eac8c350c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=orkh**~ >5 ]Ɋ&  !>5~  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=cd71129f-88f9-4947-9297-66eac8c350c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=a3dd100b-0d2c-4e4c-a983-580b492e45f2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** >5 ]Ɋ& !>5  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=cd71129f-88f9-4947-9297-66eac8c350c2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=a3dd100b-0d2c-4e4c-a983-580b492e45f2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**X 5 ]Ɋ&  !X5  F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=29233c50-0746-4bbe-b04d-e18c927537b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X: ]Ɋ& ipX5  F&mandType= ScriptName= CommandPath= CommandLine=ElfChnk    h c)*5oMu=VysMc&&**x 5 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! U!X5  F&F%g>9{p(xlMD EventDatauoData !Binary EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=29233c50-0746-4bbe-b04d-e18c927537b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eInx**p 5 ]Ɋ&  !X5  F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=29233c50-0746-4bbe-b04d-e18c927537b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=elinp**h 5 ]Ɋ&  !X5  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=29233c50-0746-4bbe-b04d-e18c927537b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ''h**h 5 ]Ɋ&  !X5  F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=29233c50-0746-4bbe-b04d-e18c927537b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h 5 ]Ɋ&  !X5  F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=29233c50-0746-4bbe-b04d-e18c927537b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=icyh** 5 ]Ɋ&  !5  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=29233c50-0746-4bbe-b04d-e18c927537b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=9116f88f-a06a-4bc7-8870-33599fb4d1a8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Id=** 5 ]Ɋ& !5  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=29233c50-0746-4bbe-b04d-e18c927537b2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=9116f88f-a06a-4bc7-8870-33599fb4d1a8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**  5 ]Ɋ& w !X5  F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=899dfa2c-d886-4e57-8ce2-7274bc1404f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4 **8 5 ]Ɋ&  !X5  F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=899dfa2c-d886-4e57-8ce2-7274bc1404f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=j8**8 5 ]Ɋ&  !X5  F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=899dfa2c-d886-4e57-8ce2-7274bc1404f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Enh8**0 5 ]Ɋ&  !X5  F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=899dfa2c-d886-4e57-8ce2-7274bc1404f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0 5 ]Ɋ&  !X5  F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=899dfa2c-d886-4e57-8ce2-7274bc1404f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nha0**0 5 ]Ɋ&  !X5  F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=899dfa2c-d886-4e57-8ce2-7274bc1404f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0** 5 ]Ɋ&  !5  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=899dfa2c-d886-4e57-8ce2-7274bc1404f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a212a8df-8cad-4f8e-bb75-ceb0f6d3ae86 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i** `5 ]Ɋ&  !`5  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=899dfa2c-d886-4e57-8ce2-7274bc1404f2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a212a8df-8cad-4f8e-bb75-ceb0f6d3ae86 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=hanc** `5 ]Ɋ&  !X`5  F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4bdb6a25-ab01-4c16-8409-a2410d8afd58 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= if** `5 ]Ɋ&  !X`5  F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4bdb6a25-ab01-4c16-8409-a2410d8afd58 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=TypeEnhancedKeyU ]Ɋ& EnX`5  F&ect { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X: ]Ɋ& ipX5  F&mandType= ScriptName= CommandPath= CommandLine=ElfChnk    (ݷ0&Mu=VysMc&&** `5 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X`5  F&F%g>9{p(xlMD EventDatauoData !Binary FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4bdb6a25-ab01-4c16-8409-a2410d8afd58 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** `5 ]Ɋ&  !X`5  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4bdb6a25-ab01-4c16-8409-a2410d8afd58 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** `5 ]Ɋ&  !X`5  F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4bdb6a25-ab01-4c16-8409-a2410d8afd58 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** `5 ]Ɋ&  !X`5  F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4bdb6a25-ab01-4c16-8409-a2410d8afd58 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r** `5 ]Ɋ& O!`5  F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4bdb6a25-ab01-4c16-8409-a2410d8afd58 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=0e00563b-ff51-4fc7-910b-1568e21c544a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t** ,5 ]Ɋ& [!,5  F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4bdb6a25-ab01-4c16-8409-a2410d8afd58 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=0e00563b-ff51-4fc7-910b-1568e21c544a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4.0**8 gQ6 ]Ɋ&  !XgQ6  F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6666f364-0386-4bde-8af5-05ac92696aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8 **P gQ6 ]Ɋ&  !XgQ6  F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6666f364-0386-4bde-8af5-05ac92696aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=P **P gQ6 ]Ɋ&  !XgQ6  F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6666f364-0386-4bde-8af5-05ac92696aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ddreP **H gQ6 ]Ɋ&  !XgQ6  F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6666f364-0386-4bde-8af5-05ac92696aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PEnaH **H gQ6 ]Ɋ&  !XgQ6  F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6666f364-0386-4bde-8af5-05ac92696aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=jectH **H gQ6 ]Ɋ&  !XgQ6  F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6666f364-0386-4bde-8af5-05ac92696aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NetH ** gQ6 ]Ɋ&  !gQ6  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6666f364-0386-4bde-8af5-05ac92696aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=1ebdd3b1-986c-4a5f-9e61-be82c3a8c059 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rro ** gQ6 ]Ɋ&  !gQ6  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6666f364-0386-4bde-8af5-05ac92696aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=1ebdd3b1-986c-4a5f-9e61-be82c3a8c059 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=b **  gQ6 ]Ɋ& w !XgQ6  F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2b4e8112-8f19-4f54-8bcb-742fab18bfdd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8 gQ6 ]Ɋ&  !XgQ6  F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2b4e8112-8f19-4f54-8bcb-742fab18bfdd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=A8**8 gQ6 ]Ɋ&  !XgQ6  F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2b4e8112-8f19-4f54-8bcb-742fab18bfdd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=up 8try { $ta ]Ɋ& orXgQ6  F&ers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=TypeEnhancedKeyU ]Ɋ& EnX`5  F&ect { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X: ]Ɋ& ipX5  F&mandType= ScriptName= CommandPath= CommandLine=ElfChnk    Pv?Mu=VysMc&&**0 gQ6 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XgQ6  F&F%g>9{p(xlMD EventDatauoData !Binary` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2b4e8112-8f19-4f54-8bcb-742fab18bfdd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0 gQ6 ]Ɋ&  !XgQ6  F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2b4e8112-8f19-4f54-8bcb-742fab18bfdd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0 gQ6 ]Ɋ&  !XgQ6  F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2b4e8112-8f19-4f54-8bcb-742fab18bfdd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e 0** gQ6 ]Ɋ&  !gQ6  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2b4e8112-8f19-4f54-8bcb-742fab18bfdd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=7be71108-32a9-4fd7-af21-4e2a03b476b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti** 6 ]Ɋ&  !6  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=2b4e8112-8f19-4f54-8bcb-742fab18bfdd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=7be71108-32a9-4fd7-af21-4e2a03b476b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=itio** 6 ]Ɋ& K!X6  F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c2be6f63-bd66-4c2c-9bc3-c59f543d3d72 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Tim** 6 ]Ɋ& c!X6  F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c2be6f63-bd66-4c2c-9bc3-c59f543d3d72 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 6 ]Ɋ& _!X6  F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c2be6f63-bd66-4c2c-9bc3-c59f543d3d72 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l** 6 ]Ɋ& W!X6  F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c2be6f63-bd66-4c2c-9bc3-c59f543d3d72 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=A** 6 ]Ɋ& W!X6  F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c2be6f63-bd66-4c2c-9bc3-c59f543d3d72 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a** 6 ]Ɋ& Y!X6  F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c2be6f63-bd66-4c2c-9bc3-c59f543d3d72 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=inue**X 6 ]Ɋ& !6  F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c2be6f63-bd66-4c2c-9bc3-c59f543d3d72 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=f38a5905-b3cf-4dab-9f86-b40ff1291b2c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } X**` 6 ]Ɋ& !6  F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c2be6f63-bd66-4c2c-9bc3-c59f543d3d72 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=f38a5905-b3cf-4dab-9f86-b40ff1291b2c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.P`**  6 ]Ɋ& w !X6  F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=572cab80-a4c0-40f4-8b1e-4463a257ef81 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s **8 6 ]Ɋ&  !X6  F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=572cab80-a4c0-40f4-8b1e-4463a257ef81 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i8**8 6 ]Ɋ&  !X6  F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=572cab80-a4c0-40f4-8b1e-4463a257ef81 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if 8**0 6 ]Ɋ&  !X6  F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=572cab80-a4c0-40f4-8b1e-4463a257ef81 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=par0**0 6 ]Ɋ&  !X6  F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=572cab80-a4c0-40f4-8b1e-4463a257ef81 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oul0**0 6 ]Ɋ&  !X6  F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=572cab80-a4c0-40f4-8b1e-4463a257ef81 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_N0** 6 ]Ɋ&  !6  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=572cab80-a4c0-40f4-8b1e-4463a257ef81 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=e5c6cced-02cb-40ad-999b-17cb0c037ae7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-O** 6 ]Ɋ&  !6  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=572cab80-a4c0-40f4-8b1e-4463a257ef81 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=e5c6cced-02cb-40ad-999b-17cb0c037ae7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=way ** 6 ]Ɋ&  !X6  F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=91832bea-6f2b-4228-9058-5cfc73d9f60a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n aceId= Pip ]Ɋ& NaX6  F&ine=TypeEnhancedKeyU ]Ɋ& EnX`5  F&ect { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X: ]Ɋ& ipX5  F&mandType= ScriptName= CommandPath= CommandLine=ElfChnk    ( jjMu=VysMc&&** 6 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !X6  F&F%g>9{p(xlMD EventDatauoData !BinaryEnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=91832bea-6f2b-4228-9058-5cfc73d9f60a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-C ** 6 ]Ɋ&  !X6  F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=91832bea-6f2b-4228-9058-5cfc73d9f60a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= in ** 6 ]Ɋ&  !X6  F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=91832bea-6f2b-4228-9058-5cfc73d9f60a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=der ** 6 ]Ɋ&  !X6  F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=91832bea-6f2b-4228-9058-5cfc73d9f60a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_ ** 6 ]Ɋ&  !X6  F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=91832bea-6f2b-4228-9058-5cfc73d9f60a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti ** 6 ]Ɋ& e !6  F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=91832bea-6f2b-4228-9058-5cfc73d9f60a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=5e3ccb5a-e9bd-4077-abe0-d587745ed069 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.0 **X *6 ]Ɋ&  !X*6  F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f4dae3c3-848e-47ec-88fb-9ad8e9e54607 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= HX**p *6 ]Ɋ&  !X*6  F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f4dae3c3-848e-47ec-88fb-9ad8e9e54607 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= p**p *6 ]Ɋ&  !X*6  F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f4dae3c3-848e-47ec-88fb-9ad8e9e54607 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h *6 ]Ɋ&  !X*6  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f4dae3c3-848e-47ec-88fb-9ad8e9e54607 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=exe h**h *6 ]Ɋ&  !X*6  F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f4dae3c3-848e-47ec-88fb-9ad8e9e54607 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Defh**h *6 ]Ɋ&  !X*6  F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f4dae3c3-848e-47ec-88fb-9ad8e9e54607 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.MAh** *6 ]Ɋ&  !*6  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f4dae3c3-848e-47ec-88fb-9ad8e9e54607 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=2550510c-f4e4-4e85-a27b-af11e71aa6d9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=et-** *6 ]Ɋ& !*6  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f4dae3c3-848e-47ec-88fb-9ad8e9e54607 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=2550510c-f4e4-4e85-a27b-af11e71aa6d9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=I** *6 ]Ɋ& q !*6  F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=91832bea-6f2b-4228-9058-5cfc73d9f60a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=5e3ccb5a-e9bd-4077-abe0-d587745ed069 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X *6 ]Ɋ&  !X*6  F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a5e9db26-930b-47ab-9adb-72fdfb5c48b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p *6 ]Ɋ&  !X*6  F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a5e9db26-930b-47ab-9adb-72fdfb5c48b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= p**p *6 ]Ɋ&  !X*6  F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a5e9db26-930b-47ab-9adb-72fdfb5c48b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} cap**h *6 ]Ɋ&  !X*6  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a5e9db26-930b-47ab-9adb-72fdfb5c48b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=esulh| ConvertTo- ]Ɋ& DNX*6  F&}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n aceId= Pip ]Ɋ& NaX6  F&ine=TypeEnhancedKeyU ]Ɋ& EnX`5  F&ect { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X: ]Ɋ& ipX5  F&mandType= ScriptName= CommandPath= CommandLine=ElfChnk    Hx&Mu=VysMc&&**h *6 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!X*6  F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a5e9db26-930b-47ab-9adb-72fdfb5c48b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$h**h *6 ]Ɋ&  !X*6  F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a5e9db26-930b-47ab-9adb-72fdfb5c48b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Namh** *6 ]Ɋ&  !*6  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a5e9db26-930b-47ab-9adb-72fdfb5c48b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=fbcd8443-19f5-49ac-a8ed-94b5ebc9db0d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ss ** *6 ]Ɋ& !*6  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a5e9db26-930b-47ab-9adb-72fdfb5c48b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=fbcd8443-19f5-49ac-a8ed-94b5ebc9db0d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==** *6 ]Ɋ& 7!X*6  F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=21698319-795b-4f97-b205-eebf616967b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.** *6 ]Ɋ& O!X*6  F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=21698319-795b-4f97-b205-eebf616967b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=g** *6 ]Ɋ& K!X*6  F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=21698319-795b-4f97-b205-eebf616967b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ass** *6 ]Ɋ& C!X*6  F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=21698319-795b-4f97-b205-eebf616967b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Val** *6 ]Ɋ& C!X*6  F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=21698319-795b-4f97-b205-eebf616967b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** *6 ]Ɋ& E!X*6  F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=21698319-795b-4f97-b205-eebf616967b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=at**@ *6 ]Ɋ& !*6  F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=21698319-795b-4f97-b205-eebf616967b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=dc696c95-1ab6-4deb-adf5-ec4d00070160 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} @**P 6 ]Ɋ& !6  F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=21698319-795b-4f97-b205-eebf616967b8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=dc696c95-1ab6-4deb-adf5-ec4d00070160 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= GetP** 6 ]Ɋ&  !6  F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=19d6cfb7-4201-43b9-931e-abdc6399a624 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=311da077-4d77-4077-9463-b23e1b5affc7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Firs**H ݡ6 ]Ɋ& !Xݡ6  F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0cbc08f0-0c07-4079-9ac1-7159a932cb81 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**` ݡ6 ]Ɋ& !Xݡ6  F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0cbc08f0-0c07-4079-9ac1-7159a932cb81 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:`**` ݡ6 ]Ɋ& !Xݡ6  F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0cbc08f0-0c07-4079-9ac1-7159a932cb81 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tif`**X ݡ6 ]Ɋ& !Xݡ6  F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0cbc08f0-0c07-4079-9ac1-7159a932cb81 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=re X**X ݡ6 ]Ɋ& !Xݡ6  F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0cbc08f0-0c07-4079-9ac1-7159a932cb81 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=48eX**X ݡ6 ]Ɋ& !Xݡ6  F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0cbc08f0-0c07-4079-9ac1-7159a932cb81 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X** ݡ6 ]Ɋ& !ݡ6  F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0cbc08f0-0c07-4079-9ac1-7159a932cb81 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=29e7a8c5-f76e-4908-aef7-b3354baca36b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** !6 ]Ɋ& K!X!6  F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d5ba58f0-3966-4c87-b4da-de2d9d511174 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-No** !6 ]Ɋ& c!X!6  F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d5ba58f0-3966-4c87-b4da-de2d9d511174 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ere** !6 ]Ɋ& _!X!6  F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d5ba58f0-3966-4c87-b4da-de2d9d511174 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d** !6 ]Ɋ& W!X!6  F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d5ba58f0-3966-4c87-b4da-de2d9d511174 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=O** !6 ]Ɋ& W!X!6  F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d5ba58f0-3966-4c87-b4da-de2d9d511174 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** !6 ]Ɋ& Y!X!6  F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d5ba58f0-3966-4c87-b4da-de2d9d511174 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NetA**X !6 ]Ɋ& !!6  F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d5ba58f0-3966-4c87-b4da-de2d9d511174 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=aa897444-e87d-45cc-9c67-9a6795e604dc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ComX**` !6 ]Ɋ& !!6  F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d5ba58f0-3966-4c87-b4da-de2d9d511174 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=aa897444-e87d-45cc-9c67-9a6795e604dc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te`**  !6 ]Ɋ& w !X!6  F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fcc414b2-0678-4ba1-9143-e61e46814104 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8 !6 ]Ɋ&  !X!6  F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fcc414b2-0678-4ba1-9143-e61e46814104 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t8**8 !6 ]Ɋ&  !X!6  F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fcc414b2-0678-4ba1-9143-e61e46814104 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ut 8**0 !6 ]Ɋ&  !X!6  F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fcc414b2-0678-4ba1-9143-e61e46814104 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e-O0put "ERROR:$ ]Ɋ& erX!6  F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X: ]Ɋ& ipX5  F&mandType= ScriptName= CommandPath= CommandLine=ElfChnk ! !_x[JMu=VysMc&&**0 !6 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X!6  F&F%g>9{p(xlMD EventDatauoData !Binary` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fcc414b2-0678-4ba1-9143-e61e46814104 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0 !6 ]Ɋ&  !X!6  F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fcc414b2-0678-4ba1-9143-e61e46814104 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd0** !6 ]Ɋ&  !!6  F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fcc414b2-0678-4ba1-9143-e61e46814104 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ab6c80c0-258f-4170-b865-fd618be2f861 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ne** [6 ]Ɋ&  ![6  F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=fcc414b2-0678-4ba1-9143-e61e46814104 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ab6c80c0-258f-4170-b865-fd618be2f861 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c-a8** [6 ]Ɋ&  !X[6  F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1273d84a-0ff3-444b-9e0c-7f8e6987ec4f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y ** [6 ]Ɋ&  !X[6  F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1273d84a-0ff3-444b-9e0c-7f8e6987ec4f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i ** [6 ]Ɋ&  !X[6  F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1273d84a-0ff3-444b-9e0c-7f8e6987ec4f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=to ** [6 ]Ɋ&  !X[6  F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1273d84a-0ff3-444b-9e0c-7f8e6987ec4f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-No ** [6 ]Ɋ&  !X[6  F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1273d84a-0ff3-444b-9e0c-7f8e6987ec4f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== ** [6 ]Ɋ&  !X[6  F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1273d84a-0ff3-444b-9e0c-7f8e6987ec4f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** [6 ]Ɋ& e ![6  F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1273d84a-0ff3-444b-9e0c-7f8e6987ec4f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=3d9cf06d-c839-41e9-b7d5-b7e1713daf67 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.0 ** R6 ]Ɋ& q !R6  F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1273d84a-0ff3-444b-9e0c-7f8e6987ec4f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=3d9cf06d-c839-41e9-b7d5-b7e1713daf67 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ne\b **8 R6 ]Ɋ& !XR6  F&hAliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=51e9821c-a02a-430b-bf0c-bbefe4ce55f1 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**P R6 ]Ɋ& !XR6  F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=51e9821c-a02a-430b-bf0c-bbefe4ce55f1 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=EnP**H R6 ]Ɋ& !XR6  F&|FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=51e9821c-a02a-430b-bf0c-bbefe4ce55f1 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=aH**@ R6 ]Ɋ& !XR6  F&tFunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=51e9821c-a02a-430b-bf0c-bbefe4ce55f1 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e@**@ R6 ]Ɋ& !XR6  F&tRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=51e9821c-a02a-430b-bf0c-bbefe4ce55f1 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @**H R6 ]Ɋ& !XR6  F&vVariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=51e9821c-a02a-430b-bf0c-bbefe4ce55f1 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rsioH** R6 ]Ɋ& !R6  F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=51e9821c-a02a-430b-bf0c-bbefe4ce55f1 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=83ded305-b178-4c43-b2f1-d7f52cfac44d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on=p** 6 ]Ɋ& !6  F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=51e9821c-a02a-430b-bf0c-bbefe4ce55f1 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $items = Get-CimInstance -ClassName Win32_QuickFixEngineering -ErrorAction Stop | Select-Object HotFixID, Description, InstalledOn, InstalledBy, Caption $items | ConvertTo-Json -Compress } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=83ded305-b178-4c43-b2f1-d7f52cfac44d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nI**!6 ]Ɋ& %!X6! F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7972ff28-af7b-4de0-8970-d44e47a2c604 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f **!6 ]Ɋ& =!X6! F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7972ff28-af7b-4de0-8970-d44e47a2c604 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==C**!6 ]Ɋ& 9!X6! F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7972ff28-af7b-4de0-8970-d44e47a2c604 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= SorObject Route ]Ɋ& t-X6! F&Action SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e-O0put "ERROR:$ ]Ɋ& erX!6  F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X: ]Ɋ& ipX5  F&mandType= ScriptName= CommandPath= CommandLine=ElfChnk!"!!"!(0X Mu=VysMc&&**!6 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X6! F&F%g>9{p(xlMD EventDatauoData !BinaryFunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7972ff28-af7b-4de0-8970-d44e47a2c604 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**!6 ]Ɋ& 1!X6! F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7972ff28-af7b-4de0-8970-d44e47a2c604 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($ro**!6 ]Ɋ& 3!X6! F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7972ff28-af7b-4de0-8970-d44e47a2c604 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=res**0!6 ]Ɋ& !6! F&`AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7972ff28-af7b-4de0-8970-d44e47a2c604 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=ff49768a-6ba3-4b34-8311-6fe76903817f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= F0**8!6 ]Ɋ& !6! F&lStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7972ff28-af7b-4de0-8970-d44e47a2c604 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" ) foreach ($path in $paths) { $base = $path -replace '\\\*$', '' if (-not (Test-Path $base)) { continue } $items = Get-ItemProperty $path -ErrorAction SilentlyContinue foreach ($item in $items) { $displayName = $item.DisplayName if (-not $displayName) { continue } if ($item.SystemComponent -eq 1) { continue } if ($displayName -match '^(KB\d+|Update for|Hotfix for|Security Update for)') { continue } $version = $item.DisplayVersion if (-not $version) { $version = "" } $publisher = $item.Publisher if (-not $publisher) { $publisher = "" } $installDate = $item.InstallDate if (-not $installDate) { $installDate = "" } $cleanPublisher = $publisher -replace '[^a-zA-Z0-9]', '' $cleanName = $displayName -replace '[^a-zA-Z0-9]', '' $packageID = "" if ($cleanPublisher.Length -gt 0 -and $cleanName.Length -gt 0 -and $cleanPublisher.Length -lt 50 -and $cleanName.Length -lt 100) { $packageID = "$cleanPublisher.$cleanName" } [PSCustomObject]@{ Name = $displayName Version = $version Publisher = $publisher InstallDate = $installDate PackageID = $packageID Source = "registry" } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=ff49768a-6ba3-4b34-8311-6fe76903817f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-8**x!6 ]Ɋ& !X6! F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0f34c1c2-ad8e-4ab0-a43d-c0e8a109c098 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in ix** !6 ]Ɋ& !X6 ! F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0f34c1c2-ad8e-4ab0-a43d-c0e8a109c098 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@() ** !6 ]Ɋ& !X6 ! F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0f34c1c2-ad8e-4ab0-a43d-c0e8a109c098 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=um** !6 ]Ɋ& !X6 ! F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0f34c1c2-ad8e-4ab0-a43d-c0e8a109c098 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n=** !6 ]Ɋ& !X6 ! F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0f34c1c2-ad8e-4ab0-a43d-c0e8a109c098 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sD** !6 ]Ɋ& !X6 ! F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0f34c1c2-ad8e-4ab0-a43d-c0e8a109c098 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**!6 ]Ɋ& '!6! F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0f34c1c2-ad8e-4ab0-a43d-c0e8a109c098 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=db2230ab-edf7-4e57-a896-99e355839ebf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**!6 ]Ɋ& 3!6! F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=0f34c1c2-ad8e-4ab0-a43d-c0e8a109c098 HostApplication=powershell.exe -NoProfile -NonInteractive -Command try { $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $modules = Get-InstalledModule -ErrorAction SilentlyContinue if ($modules) { foreach ($mod in $modules) { [PSCustomObject]@{ Name = $mod.Name Version = $mod.Version.ToString() Repository = $mod.Repository Author = $mod.Author } | ConvertTo-Json -Compress Write-Output "---SEPARATOR---" } } } catch { Write-Error $_.Exception.Message; exit 1 } EngineVersion=4.0 RunspaceId=db2230ab-edf7-4e57-a896-99e355839ebf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ite**!6 ]Ɋ& 7!X6! F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=cb7611b3-05e4-4c20-9f14-5b2d4e9276f1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**!6 ]Ɋ& O!X6! F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=cb7611b3-05e4-4c20-9f14-5b2d4e9276f1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **!6 ]Ɋ& K!X6! F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=cb7611b3-05e4-4c20-9f14-5b2d4e9276f1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xe **!6 ]Ɋ& C!X6! F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=cb7611b3-05e4-4c20-9f14-5b2d4e9276f1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=efe**!6 ]Ɋ& C!X6! F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=cb7611b3-05e4-4c20-9f14-5b2d4e9276f1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rsi**!6 ]Ɋ& E!X6! F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=cb7611b3-05e4-4c20-9f14-5b2d4e9276f1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d **@!6 ]Ɋ& !6! F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=cb7611b3-05e4-4c20-9f14-5b2d4e9276f1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=1ff0c95b-2bcc-4da1-b680-5c39b8808b18 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@**P!6 ]Ɋ& !6! F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=cb7611b3-05e4-4c20-9f14-5b2d4e9276f1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=1ff0c95b-2bcc-4da1-b680-5c39b8808b18 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ayNaP**!-6 ]Ɋ&  !-6! F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0cbc08f0-0c07-4079-9ac1-7159a932cb81 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=29e7a8c5-f76e-4908-aef7-b3354baca36b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ($c**H!&T7 ]Ɋ& !X&T7! F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e7514ec4-d562-49ec-ba47-cc9fa4822f09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pH**`!&T7 ]Ɋ& !X&T7! F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e7514ec4-d562-49ec-ba47-cc9fa4822f09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S`**`!&T7 ]Ɋ& !X&T7! F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e7514ec4-d562-49ec-ba47-cc9fa4822f09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ($`**X!&T7 ]Ɋ& !X&T7! F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e7514ec4-d562-49ec-ba47-cc9fa4822f09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=andX**X!&T7 ]Ɋ& !X&T7! F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e7514ec4-d562-49ec-ba47-cc9fa4822f09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= CX**X!&T7 ]Ɋ& !X&T7! F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e7514ec4-d562-49ec-ba47-cc9fa4822f09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:\X**!&T7 ]Ɋ& !&T7! F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e7514ec4-d562-49ec-ba47-cc9fa4822f09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=ed36f546-083c-49cc-9591-77a0862c7ff9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= =** !o-d7 ]Ɋ&  !o-d7 ! F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e7514ec4-d562-49ec-ba47-cc9fa4822f09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=ed36f546-083c-49cc-9591-77a0862c7ff9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ **!!#h7 ]Ɋ& K!X#h7!! F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8185c950-9f32-4e50-84e8-89da7b1ea03f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -a**"!#h7 ]Ɋ& c!X#h7"! F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8185c950-9f32-4e50-84e8-89da7b1ea03f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tch # ignor ]Ɋ&  RX#h7#! F&mmandName= CommandType= ScriptName= CommandPath= CommandLine=e-O0put "ERROR:$ ]Ɋ& erX!6  F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X: ]Ɋ& ipX5  F&mandType= ScriptName= CommandPath= CommandLine=ElfChnk#!;!#!;! P++ *Mu=VysMc&&** #!#h7 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X#h7#! F&F%g>9{p(xlMD EventDatauoData !Binary<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8185c950-9f32-4e50-84e8-89da7b1ea03f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  **$!#h7 ]Ɋ& W!X#h7$! F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8185c950-9f32-4e50-84e8-89da7b1ea03f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**%!#h7 ]Ɋ& W!X#h7%! F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8185c950-9f32-4e50-84e8-89da7b1ea03f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**&!#h7 ]Ɋ& Y!X#h7&! F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8185c950-9f32-4e50-84e8-89da7b1ea03f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=not **X'!#h7 ]Ɋ& !#h7'! F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8185c950-9f32-4e50-84e8-89da7b1ea03f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=78c77946-879c-4614-b6df-edfffa7cab2a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $diX**`(!#h7 ]Ɋ& !#h7(! F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8185c950-9f32-4e50-84e8-89da7b1ea03f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=78c77946-879c-4614-b6df-edfffa7cab2a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ro`** )!#h7 ]Ɋ& w !X#h7)! F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6d2f343e-e6d4-4bbf-9d86-3087b9d0b323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8*!#h7 ]Ɋ&  !X#h7*! F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6d2f343e-e6d4-4bbf-9d86-3087b9d0b323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==8**8+!#h7 ]Ɋ&  !X#h7+! F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6d2f343e-e6d4-4bbf-9d86-3087b9d0b323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=]',8**0,!#h7 ]Ɋ&  !X#h7,! F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6d2f343e-e6d4-4bbf-9d86-3087b9d0b323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nvi0**0-!#h7 ]Ɋ&  !X#h7-! F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6d2f343e-e6d4-4bbf-9d86-3087b9d0b323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=]Ɋ&0**0.!#h7 ]Ɋ&  !X#h7.! F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6d2f343e-e6d4-4bbf-9d86-3087b9d0b323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in0**/!#h7 ]Ɋ&  !#h7/! F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6d2f343e-e6d4-4bbf-9d86-3087b9d0b323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f4eeac8a-a48b-4e87-b614-99a6ac16e8a5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xc**0!i7 ]Ɋ&  !i70! F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=6d2f343e-e6d4-4bbf-9d86-3087b9d0b323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f4eeac8a-a48b-4e87-b614-99a6ac16e8a5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=peli** 1!i7 ]Ɋ&  !Xi71! F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2d4771b5-780b-4893-b4b0-b8d177f25063 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=N ** 2!i7 ]Ɋ&  !Xi72! F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2d4771b5-780b-4893-b4b0-b8d177f25063 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=v ** 3!i7 ]Ɋ&  !Xi73! F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2d4771b5-780b-4893-b4b0-b8d177f25063 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 4!i7 ]Ɋ&  !Xi74! F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2d4771b5-780b-4893-b4b0-b8d177f25063 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ion ** 5!i7 ]Ɋ&  !Xi75! F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2d4771b5-780b-4893-b4b0-b8d177f25063 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ne ** 6!i7 ]Ɋ&  !Xi76! F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2d4771b5-780b-4893-b4b0-b8d177f25063 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2f ** 7!P#j7 ]Ɋ& e !P#j77! F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2d4771b5-780b-4893-b4b0-b8d177f25063 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=2452ceb2-f5be-471b-8b95-553a99c8c470 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==  ** 8!P#j7 ]Ɋ& q !P#j78! F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2d4771b5-780b-4893-b4b0-b8d177f25063 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=2452ceb2-f5be-471b-8b95-553a99c8c470 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **9!P#j7 ]Ɋ& 7!XP#j79! F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b00ae035-0088-4b02-9ee1-1c3c6486a768 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **:!P#j7 ]Ɋ& O!XP#j7:! F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b00ae035-0088-4b02-9ee1-1c3c6486a768 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=N**;!P#j7 ]Ɋ& K!XP#j7;! F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b00ae035-0088-4b02-9ee1-1c3c6486a768 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pu"ERROR:$ ] ]Ɋ& XXP#j79{p(xlMD EventDatauoData !Binary FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b00ae035-0088-4b02-9ee1-1c3c6486a768 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **=!P#j7 ]Ɋ& C!XP#j7=! F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b00ae035-0088-4b02-9ee1-1c3c6486a768 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndP**>!P#j7 ]Ɋ& E!XP#j7>! F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b00ae035-0088-4b02-9ee1-1c3c6486a768 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **@?!P#j7 ]Ɋ& !P#j7?! F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b00ae035-0088-4b02-9ee1-1c3c6486a768 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=9d9059de-70f8-46fa-a26f-47d7cdb3e70d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@**P@!j7 ]Ɋ& !j7@! F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b00ae035-0088-4b02-9ee1-1c3c6486a768 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=9d9059de-70f8-46fa-a26f-47d7cdb3e70d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ine=P**HA!~8 ]Ɋ& !X~8A! F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=af166f94-dc6b-49dc-af56-dca4897b14c8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`B!~8 ]Ɋ& !X~8B! F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=af166f94-dc6b-49dc-af56-dca4897b14c8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i`**`C!~8 ]Ɋ& !X~8C! F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=af166f94-dc6b-49dc-af56-dca4897b14c8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**XD!~8 ]Ɋ& !X~8D! F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=af166f94-dc6b-49dc-af56-dca4897b14c8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=irsX**XE!~8 ]Ɋ& !X~8E! F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=af166f94-dc6b-49dc-af56-dca4897b14c8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= NeX**XF!~8 ]Ɋ& !X~8F! F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=af166f94-dc6b-49dc-af56-dca4897b14c8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=utX**G!~8 ]Ɋ& !~8G! F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=af166f94-dc6b-49dc-af56-dca4897b14c8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=3d8aaaac-ce6f-4579-bafc-1711f54e2da7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te**XH!8 ]Ɋ&  !X8H! F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=dfa32fc6-07b3-4888-86d1-3160b6ce1244 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= WX**pI!8 ]Ɋ&  !X8I! F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=dfa32fc6-07b3-4888-86d1-3160b6ce1244 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d p**pJ!8 ]Ɋ&  !X8J! F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=dfa32fc6-07b3-4888-86d1-3160b6ce1244 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=MACAp**hK!8 ]Ɋ&  !X8K! F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=dfa32fc6-07b3-4888-86d1-3160b6ce1244 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t -Fh**hL!8 ]Ɋ&  !X8L! F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=dfa32fc6-07b3-4888-86d1-3160b6ce1244 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $h**hM!8 ]Ɋ&  !X8M! F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=dfa32fc6-07b3-4888-86d1-3160b6ce1244 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**N!8 ]Ɋ&  !8N! F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=dfa32fc6-07b3-4888-86d1-3160b6ce1244 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5d544fd2-7b43-436d-a664-2d0c5b22f35c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ost**O!8 ]Ɋ& !8O! F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=dfa32fc6-07b3-4888-86d1-3160b6ce1244 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5d544fd2-7b43-436d-a664-2d0c5b22f35c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==**XP!8 ]Ɋ&  !X8P! F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a50c7514-67df-4456-8629-fc4c23b54537 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eqX**pQ!8 ]Ɋ&  !X8Q! F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a50c7514-67df-4456-8629-fc4c23b54537 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-p**pR!8 ]Ɋ&  !X8R! F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a50c7514-67df-4456-8629-fc4c23b54537 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**hS!8 ]Ɋ&  !X8S! F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a50c7514-67df-4456-8629-fc4c23b54537 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Eh**hT!8 ]Ɋ&  !X8T! F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a50c7514-67df-4456-8629-fc4c23b54537 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnkU!e!U!e!hy̓Mu=VysMc&&**hU!8 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! K!X8U! F&F%g>9{p(xlMD EventDatauoData !Binary VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a50c7514-67df-4456-8629-fc4c23b54537 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**V!8 ]Ɋ&  !8V! F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a50c7514-67df-4456-8629-fc4c23b54537 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=caa2a54e-823a-41ec-a059-b01ec08f350d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Eng**W!8 ]Ɋ& !8W! F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a50c7514-67df-4456-8629-fc4c23b54537 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=caa2a54e-823a-41ec-a059-b01ec08f350d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** X!8 ]Ɋ& w !X8X! F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ecfb2d3b-4030-46f1-abac-a2a44f6347af HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **8Y!8 ]Ɋ&  !X8Y! F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ecfb2d3b-4030-46f1-abac-a2a44f6347af HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h8**8Z!8 ]Ɋ&  !X8Z! F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ecfb2d3b-4030-46f1-abac-a2a44f6347af HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**0[!8 ]Ɋ&  !X8[! F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ecfb2d3b-4030-46f1-abac-a2a44f6347af HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nha0**0\!8 ]Ɋ&  !X8\! F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ecfb2d3b-4030-46f1-abac-a2a44f6347af HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0]!8 ]Ɋ&  !X8]! F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ecfb2d3b-4030-46f1-abac-a2a44f6347af HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=yU0**^!8 ]Ɋ&  !8^! F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ecfb2d3b-4030-46f1-abac-a2a44f6347af HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5aab0aaa-7739-4ccc-b680-9587d0a109e7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=si**_!98 ]Ɋ&  !98_! F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=ecfb2d3b-4030-46f1-abac-a2a44f6347af HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5aab0aaa-7739-4ccc-b680-9587d0a109e7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **`!98 ]Ɋ&  !X98`! F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a0dfa8d2-a828-4bbd-80bb-b5bd2a1afa76 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nsio**a!98 ]Ɋ&  !X98a! F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a0dfa8d2-a828-4bbd-80bb-b5bd2a1afa76 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ext **b!98 ]Ɋ& !X98b! F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a0dfa8d2-a828-4bbd-80bb-b5bd2a1afa76 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=En**c!98 ]Ɋ&  !X98c! F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a0dfa8d2-a828-4bbd-80bb-b5bd2a1afa76 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **d!98 ]Ɋ&  !X98d! F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a0dfa8d2-a828-4bbd-80bb-b5bd2a1afa76 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=an**e!98 ]Ɋ&  !X98e! F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a0dfa8d2-a828-4bbd-80bb-b5bd2a1afa76 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= .Value }  ]Ɋ&  98f! F& empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnkf!w!f!w!Hb 6'Mu=VysMc&&**f!98 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !98f! F&F%g>9{p(xlMD EventDatauoData !Binary,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a0dfa8d2-a828-4bbd-80bb-b5bd2a1afa76 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=dd816fa2-35b5-43e1-a874-52fca264d8f6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**g!8 ]Ɋ& [!8g! F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a0dfa8d2-a828-4bbd-80bb-b5bd2a1afa76 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=dd816fa2-35b5-43e1-a874-52fca264d8f6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le**h! 48 ]Ɋ&  ! 48h! F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=af166f94-dc6b-49dc-af56-dca4897b14c8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=3d8aaaac-ce6f-4579-bafc-1711f54e2da7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sig.**8 i!8 ]Ɋ&  !X8i! F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8316232c-3cdf-4233-a812-649a413d691b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ix8 **P j!8 ]Ɋ&  !X8j! F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8316232c-3cdf-4233-a812-649a413d691b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l P **P k!8 ]Ɋ&  !X8k! F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8316232c-3cdf-4233-a812-649a413d691b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ershP **H l!8 ]Ɋ&  !X8l! F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8316232c-3cdf-4233-a812-649a413d691b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ber=H **H m!8 ]Ɋ&  !X8m! F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8316232c-3cdf-4233-a812-649a413d691b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=XH **H n!8 ]Ɋ&  !X8n! F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8316232c-3cdf-4233-a812-649a413d691b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H ** o!8 ]Ɋ&  !8o! F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8316232c-3cdf-4233-a812-649a413d691b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=0ca8ab49-5684-43f7-a1d7-d3765436aaeb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} ** p!8 ]Ɋ&  !8p! F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8316232c-3cdf-4233-a812-649a413d691b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=0ca8ab49-5684-43f7-a1d7-d3765436aaeb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c ** q!6e8 ]Ɋ& w !X6e8q! F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1a4731b7-ea77-4789-9921-93ec26789305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s **8r!6e8 ]Ɋ&  !X6e8r! F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1a4731b7-ea77-4789-9921-93ec26789305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s8**8s!6e8 ]Ɋ&  !X6e8s! F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1a4731b7-ea77-4789-9921-93ec26789305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gge8**0t!6e8 ]Ɋ&  !X6e8t! F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1a4731b7-ea77-4789-9921-93ec26789305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= le0**0u!6e8 ]Ɋ&  !X6e8u! F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1a4731b7-ea77-4789-9921-93ec26789305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edT0**0v!6e8 ]Ɋ&  !X6e8v! F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1a4731b7-ea77-4789-9921-93ec26789305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i0**w!6e8 ]Ɋ&  !6e8w! F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1a4731b7-ea77-4789-9921-93ec26789305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=8f2bfbd4-5004-463d-82e2-20c9d33f5492 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= eak }  ]Ɋ& ge6e8x! F&-AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= .Value }  ]Ɋ&  98f! F& empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnkx!!x!! u- Mu=VysMc&&**x!6e8 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! q!6e8x! F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=1a4731b7-ea77-4789-9921-93ec26789305 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=8f2bfbd4-5004-463d-82e2-20c9d33f5492 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**y!8 ]Ɋ& K!X8y! F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f91cd8f6-0246-491e-a96b-c82bafa3d074 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nam**z!8 ]Ɋ& c!X8z! F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f91cd8f6-0246-491e-a96b-c82bafa3d074 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== @**{!8 ]Ɋ& _!X8{! F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f91cd8f6-0246-491e-a96b-c82bafa3d074 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **|!8 ]Ɋ& W!X8|! F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f91cd8f6-0246-491e-a96b-c82bafa3d074 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**}!8 ]Ɋ& W!X8}! F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f91cd8f6-0246-491e-a96b-c82bafa3d074 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=D**~!8 ]Ɋ& Y!X8~! F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f91cd8f6-0246-491e-a96b-c82bafa3d074 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -Ex**X!8 ]Ɋ& !8! F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f91cd8f6-0246-491e-a96b-c82bafa3d074 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=832a4c0e-f153-4d3c-82b9-40a8120ce9dd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.ComX**`!8 ]Ɋ& !8! F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f91cd8f6-0246-491e-a96b-c82bafa3d074 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=832a4c0e-f153-4d3c-82b9-40a8120ce9dd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=64`** !8 ]Ɋ& w !X8! F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c5045713-6808-4356-9c48-e33923c5acc2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$ **8!8 ]Ɋ&  !X8! F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c5045713-6808-4356-9c48-e33923c5acc2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l8**8!8 ]Ɋ&  !X8! F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c5045713-6808-4356-9c48-e33923c5acc2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rsh8**0!8 ]Ɋ&  !X8! F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c5045713-6808-4356-9c48-e33923c5acc2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e 00**0!8 ]Ɋ&  !X8! F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c5045713-6808-4356-9c48-e33923c5acc2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-or0**0!8 ]Ɋ&  !X8! F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c5045713-6808-4356-9c48-e33923c5acc2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te0**!8 ]Ɋ&  !8! F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c5045713-6808-4356-9c48-e33923c5acc2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=fbe34925-507d-4839-87dd-4403bf3021cf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=es**!c8 ]Ɋ&  !c8! F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=c5045713-6808-4356-9c48-e33923c5acc2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=fbe34925-507d-4839-87dd-4403bf3021cf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mac ** !c8 ]Ɋ&  !Xc8! F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=030465e2-bf8d-43e7-bc2f-7164ffff60ac HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** !c8 ]Ɋ&  !Xc8! F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=030465e2-bf8d-43e7-bc2f-7164ffff60ac HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** !c8 ]Ɋ&  !Xc8! F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=030465e2-bf8d-43e7-bc2f-7164ffff60ac HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t ** !c8 ]Ɋ&  !Xc8! F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=030465e2-bf8d-43e7-bc2f-7164ffff60ac HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=etR ** !c8 ]Ɋ&  !Xc8! F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=030465e2-bf8d-43e7-bc2f-7164ffff60ac HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Co ** !c8 ]Ɋ&  !Xc8! F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=030465e2-bf8d-43e7-bc2f-7164ffff60ac HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d ** !c8 ]Ɋ& e !c8! F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=030465e2-bf8d-43e7-bc2f-7164ffff60ac HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=02ce749e-5491-4858-a524-c7584f2efcc1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ue  ]Ɋ& ]Ɋ& Xc8! F&ist } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnk!!!!jveMu=VysMc&&**`!c8 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! =!Xc8! F&F%g>9{p(xlMD EventDatauoData !Binary AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ae5bd822-756b-4e42-aec1-7ff2cbf4685b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndP`**p!c8 ]Ɋ&  !Xc8! F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ae5bd822-756b-4e42-aec1-7ff2cbf4685b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=osp**p!c8 ]Ɋ&  !Xc8! F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ae5bd822-756b-4e42-aec1-7ff2cbf4685b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sk"}p**h!c8 ]Ɋ&  !Xc8! F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ae5bd822-756b-4e42-aec1-7ff2cbf4685b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h!c8 ]Ɋ&  !Xc8! F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ae5bd822-756b-4e42-aec1-7ff2cbf4685b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= # ih**h!c8 ]Ɋ&  !Xc8! F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ae5bd822-756b-4e42-aec1-7ff2cbf4685b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ih**!c8 ]Ɋ&  !c8! F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ae5bd822-756b-4e42-aec1-7ff2cbf4685b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=a74f3d66-7f05-438e-bc39-26cbc34df882 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ror**!c8 ]Ɋ& !c8! F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ae5bd822-756b-4e42-aec1-7ff2cbf4685b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=a74f3d66-7f05-438e-bc39-26cbc34df882 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2**X!.8 ]Ɋ&  !X.8! F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c365d50a-a328-4e31-970e-6c457da4b0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fiX**p!.8 ]Ɋ&  !X.8! F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c365d50a-a328-4e31-970e-6c457da4b0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=IPp**p!.8 ]Ɋ&  !X.8! F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c365d50a-a328-4e31-970e-6c457da4b0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tewap**h!.8 ]Ɋ&  !X.8! F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c365d50a-a328-4e31-970e-6c457da4b0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and h**h!.8 ]Ɋ&  !X.8! F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c365d50a-a328-4e31-970e-6c457da4b0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=&h**h!.8 ]Ɋ&  !X.8! F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c365d50a-a328-4e31-970e-6c457da4b0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=verh**!.8 ]Ɋ&  !.8! F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c365d50a-a328-4e31-970e-6c457da4b0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=a4393fff-a3f0-4d3c-bff6-c9d8ff6d0f65 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** !.8 ]Ɋ& q !.8! F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=030465e2-bf8d-43e7-bc2f-7164ffff60ac HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=02ce749e-5491-4858-a524-c7584f2efcc1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ed **!.8 ]Ɋ& !.8! F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c365d50a-a328-4e31-970e-6c457da4b0b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=a4393fff-a3f0-4d3c-bff6-c9d8ff6d0f65 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**!.8 ]Ɋ& 7!X.8! F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f4bf532c-70a7-498d-bcb7-74fcc4b80f66 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oMessage)"  ]Ɋ& peX.8! F&andType= ScriptName= CommandPath= CommandLine=h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnk!!!!vo_Mu=VysMc&&** !.8 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X.8! F&F%g>9{p(xlMD EventDatauoData !Binary,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f4bf532c-70a7-498d-bcb7-74fcc4b80f66 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$( **!.8 ]Ɋ& K!X.8! F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f4bf532c-70a7-498d-bcb7-74fcc4b80f66 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ig**!.8 ]Ɋ& C!X.8! F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f4bf532c-70a7-498d-bcb7-74fcc4b80f66 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=TH **!.8 ]Ɋ& C!X.8! F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f4bf532c-70a7-498d-bcb7-74fcc4b80f66 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) {**!.8 ]Ɋ& E!X.8! F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f4bf532c-70a7-498d-bcb7-74fcc4b80f66 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=id**@!.8 ]Ɋ& !.8! F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f4bf532c-70a7-498d-bcb7-74fcc4b80f66 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=28d2849f-ee4c-4aa6-80ac-2948660878b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=' @**P!.8 ]Ɋ& !.8! F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f4bf532c-70a7-498d-bcb7-74fcc4b80f66 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=28d2849f-ee4c-4aa6-80ac-2948660878b3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=neVeP**H!N8 ]Ɋ& !XN8! F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=392e0d08-a723-4019-bab6-37772bf4aaa4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_H**`!N8 ]Ɋ& !XN8! F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=392e0d08-a723-4019-bab6-37772bf4aaa4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`!N8 ]Ɋ& !XN8! F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=392e0d08-a723-4019-bab6-37772bf4aaa4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bac`**X!N8 ]Ɋ& !XN8! F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=392e0d08-a723-4019-bab6-37772bf4aaa4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-7fX**X!N8 ]Ɋ& !XN8! F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=392e0d08-a723-4019-bab6-37772bf4aaa4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-OuX**X!N8 ]Ɋ& !XN8! F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=392e0d08-a723-4019-bab6-37772bf4aaa4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edX**!N8 ]Ɋ& !N8! F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=392e0d08-a723-4019-bab6-37772bf4aaa4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=8a787dc7-e791-4fe1-8290-ec6f7c794dee PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me**!58 ]Ɋ& K!X58! F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=af172456-203e-4d49-8a90-985d7e1a9580 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **!58 ]Ɋ& c!X58! F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=af172456-203e-4d49-8a90-985d7e1a9580 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Ou**!58 ]Ɋ& _!X58! F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=af172456-203e-4d49-8a90-985d7e1a9580 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**!58 ]Ɋ& W!X58! F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=af172456-203e-4d49-8a90-985d7e1a9580 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u**!58 ]Ɋ& W!X58! F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=af172456-203e-4d49-8a90-985d7e1a9580 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**!58 ]Ɋ& Y!X58! F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=af172456-203e-4d49-8a90-985d7e1a9580 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= (En**X!58 ]Ɋ& !58! F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=af172456-203e-4d49-8a90-985d7e1a9580 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=1d17b13f-fad6-42ad-884f-7010371cb4ad PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ommaX**`!58 ]Ɋ& !58! F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=af172456-203e-4d49-8a90-985d7e1a9580 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=1d17b13f-fad6-42ad-884f-7010371cb4ad PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=JE`** !58 ]Ɋ& w !X58! F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6f6cca94-08cf-4c4e-83bb-f4488d430b0c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c **8!58 ]Ɋ&  !X58! F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6f6cca94-08cf-4c4e-83bb-f4488d430b0c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8!58 ]Ɋ&  !X58! F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6f6cca94-08cf-4c4e-83bb-f4488d430b0c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$si8**0!58 ]Ɋ&  !X58! F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6f6cca94-08cf-4c4e-83bb-f4488d430b0c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ite0**0!58 ]Ɋ&  !X58! F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6f6cca94-08cf-4c4e-83bb-f4488d430b0c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=STA0**0!58 ]Ɋ&  !X58! F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6f6cca94-08cf-4c4e-83bb-f4488d430b0c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=at0**!58 ]Ɋ&  !58! F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6f6cca94-08cf-4c4e-83bb-f4488d430b0c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f63a7219-df1c-4b66-b446-a63c81f14de2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er**!+8 ]Ɋ&  !+8! F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=6f6cca94-08cf-4c4e-83bb-f4488d430b0c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f63a7219-df1c-4b66-b446-a63c81f14de2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -eq** !+8 ]Ɋ&  !X+8! F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=61e8a334-156d-4514-84e5-1cd4d5ef5dab HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c IPAddress, L ]Ɋ& -JX+8! F&# Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oMessage)"  ]Ɋ& peX.8! F&andType= ScriptName= CommandPath= CommandLine=h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnk!!!!z.e' Mu=VysMc&&** !+8 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !X+8! F&F%g>9{p(xlMD EventDatauoData !BinaryEnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=61e8a334-156d-4514-84e5-1cd4d5ef5dab HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct ** !+8 ]Ɋ&  !X+8! F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=61e8a334-156d-4514-84e5-1cd4d5ef5dab HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hos ** !+8 ]Ɋ&  !X+8! F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=61e8a334-156d-4514-84e5-1cd4d5ef5dab HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=man ** !+8 ]Ɋ&  !X+8! F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=61e8a334-156d-4514-84e5-1cd4d5ef5dab HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=et- ** !+8 ]Ɋ&  !X+8! F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=61e8a334-156d-4514-84e5-1cd4d5ef5dab HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H ** !+8 ]Ɋ& e !+8! F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=61e8a334-156d-4514-84e5-1cd4d5ef5dab HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=1c371e69-393a-489d-9b1a-b3984b24dc58 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ru ** !f8 ]Ɋ& q !f8! F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=61e8a334-156d-4514-84e5-1cd4d5ef5dab HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=1c371e69-393a-489d-9b1a-b3984b24dc58 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=! **!f8 ]Ɋ& 7!Xf8! F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=86d8892b-2869-4bf8-826b-916571946c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=7**!f8 ]Ɋ& O!Xf8! F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=86d8892b-2869-4bf8-826b-916571946c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **!f8 ]Ɋ& K!Xf8! F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=86d8892b-2869-4bf8-826b-916571946c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ver**!f8 ]Ɋ& C!Xf8! F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=86d8892b-2869-4bf8-826b-916571946c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t **!f8 ]Ɋ& C!Xf8! F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=86d8892b-2869-4bf8-826b-916571946c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nso**!f8 ]Ɋ& E!Xf8! F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=86d8892b-2869-4bf8-826b-916571946c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tN**@!f8 ]Ɋ& !f8! F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=86d8892b-2869-4bf8-826b-916571946c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=2e1d550c-6b84-4192-9bab-58cffd74219f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=si@**P!f8 ]Ɋ& !f8! F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=86d8892b-2869-4bf8-826b-916571946c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=2e1d550c-6b84-4192-9bab-58cffd74219f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=st P**!\8 ]Ɋ&  !\8! F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=392e0d08-a723-4019-bab6-37772bf4aaa4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=8a787dc7-e791-4fe1-8290-ec6f7c794dee PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=!**H!@m9 ]Ɋ& !X@m9! F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7a913b3c-aa2c-4ef3-90dd-67bae4f6b32c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eH**`!@m9 ]Ɋ& !X@m9! F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7a913b3c-aa2c-4ef3-90dd-67bae4f6b32c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r`**`!@m9 ]Ɋ& !X@m9! F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7a913b3c-aa2c-4ef3-90dd-67bae4f6b32c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) {`**X!@m9 ]Ɋ& !X@m9! F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7a913b3c-aa2c-4ef3-90dd-67bae4f6b32c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tryX**X!@m9 ]Ɋ& !X@m9! F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7a913b3c-aa2c-4ef3-90dd-67bae4f6b32c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=terX**X!@m9 ]Ɋ& !X@m9! F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7a913b3c-aa2c-4ef3-90dd-67bae4f6b32c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.DX**!@m9 ]Ɋ& !@m9! F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7a913b3c-aa2c-4ef3-90dd-67bae4f6b32c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=54323ae1-12bc-486f-b521-ab509167f53f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **!|9 ]Ɋ& K!X|9! F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d16366c6-d02e-4b09-82a6-d528d65f1dbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ne**!|9 ]Ɋ& c!X|9! F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d16366c6-d02e-4b09-82a6-d528d65f1dbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**!|9 ]Ɋ& _!X|9! F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d16366c6-d02e-4b09-82a6-d528d65f1dbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**!|9 ]Ɋ& W!X|9! F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d16366c6-d02e-4b09-82a6-d528d65f1dbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l**!|9 ]Ɋ& W!X|9! F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d16366c6-d02e-4b09-82a6-d528d65f1dbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**!|9 ]Ɋ& Y!X|9! F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d16366c6-d02e-4b09-82a6-d528d65f1dbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=terC**X!|9 ]Ɋ& !|9! F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d16366c6-d02e-4b09-82a6-d528d65f1dbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b6514fc5-41aa-40ab-a12e-146daed10bd8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=atioX**`!|9 ]Ɋ& !|9! F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d16366c6-d02e-4b09-82a6-d528d65f1dbe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b6514fc5-41aa-40ab-a12e-146daed10bd8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ca`** !|9 ]Ɋ& w !X|9! F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=aea3c3ad-d4b8-4f6a-a799-a11b2647d747 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} **8!|9 ]Ɋ&  !X|9! F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=aea3c3ad-d4b8-4f6a-a799-a11b2647d747 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8!|9 ]Ɋ&  !X|9! F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=aea3c3ad-d4b8-4f6a-a799-a11b2647d747 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= | 8nvertTo-Json ]Ɋ& erX|9! F& } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c IPAddress, L ]Ɋ& -JX+8! F&# Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oMessage)"  ]Ɋ& peX.8! F&andType= ScriptName= CommandPath= CommandLine=h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnk!"!"Ho>/aMu=VysMc&&**0!|9 ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X|9! F&F%g>9{p(xlMD EventDatauoData !Binary` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=aea3c3ad-d4b8-4f6a-a799-a11b2647d747 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0!|9 ]Ɋ&  !X|9! F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=aea3c3ad-d4b8-4f6a-a799-a11b2647d747 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0!|9 ]Ɋ&  !X|9! F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=aea3c3ad-d4b8-4f6a-a799-a11b2647d747 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} 0**!|9 ]Ɋ&  !|9! F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=aea3c3ad-d4b8-4f6a-a799-a11b2647d747 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a4820298-9579-4d6b-b61d-964caf63c7f5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ss**!|9 ]Ɋ&  !|9! F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=aea3c3ad-d4b8-4f6a-a799-a11b2647d747 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a4820298-9579-4d6b-b61d-964caf63c7f5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -Ex** !|9 ]Ɋ&  !X|9! F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7672fb72-d3a0-4269-860b-7284d1f20330 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** !|9 ]Ɋ&  !X|9! F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7672fb72-d3a0-4269-860b-7284d1f20330 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o ** !|9 ]Ɋ&  !X|9! F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7672fb72-d3a0-4269-860b-7284d1f20330 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=45 ** !|9 ]Ɋ&  !X|9! F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7672fb72-d3a0-4269-860b-7284d1f20330 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me= ** !|9 ]Ɋ&  !X|9! F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7672fb72-d3a0-4269-860b-7284d1f20330 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=am ** !|9 ]Ɋ&  !X|9! F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7672fb72-d3a0-4269-860b-7284d1f20330 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C ** !|9 ]Ɋ& e !|9! F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7672fb72-d3a0-4269-860b-7284d1f20330 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=1b504964-01d9-4797-af74-f3895ac85a24 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rt ** !7}9 ]Ɋ& q !7}9! F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7672fb72-d3a0-4269-860b-7284d1f20330 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=1b504964-01d9-4797-af74-f3895ac85a24 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on=p **!7}9 ]Ɋ& 7!X7}9! F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=108c574d-b681-4051-8b53-8d18f10b6a33 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**!7}9 ]Ɋ& O!X7}9! F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=108c574d-b681-4051-8b53-8d18f10b6a33 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **!7}9 ]Ɋ& K!X7}9! F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=108c574d-b681-4051-8b53-8d18f10b6a33 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=aTy**!7}9 ]Ɋ& C!X7}9! F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=108c574d-b681-4051-8b53-8d18f10b6a33 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_**!7}9 ]Ɋ& C!X7}9! F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=108c574d-b681-4051-8b53-8d18f10b6a33 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bje**!7}9 ]Ɋ& E!X7}9! F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=108c574d-b681-4051-8b53-8d18f10b6a33 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= W**@!7}9 ]Ɋ& !7}9! F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=108c574d-b681-4051-8b53-8d18f10b6a33 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=71761177-c094-4045-85e8-425ee63489f4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pe@**P!7}9 ]Ɋ& !7}9! F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=108c574d-b681-4051-8b53-8d18f10b6a33 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=71761177-c094-4045-85e8-425ee63489f4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_P**!=c9 ]Ɋ&  !=c9! F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7a913b3c-aa2c-4ef3-90dd-67bae4f6b32c HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=54323ae1-12bc-486f-b521-ab509167f53f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.0 **H!: ]Ɋ& !X:! F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=018653bb-075d-41cf-87a7-11c54a0cf19f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=IH**`!: ]Ɋ& !X:! F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=018653bb-075d-41cf-87a7-11c54a0cf19f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d`**`!: ]Ɋ& !X:! F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=018653bb-075d-41cf-87a7-11c54a0cf19f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=`**X!: ]Ɋ& !X:! F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=018653bb-075d-41cf-87a7-11c54a0cf19f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er X**X!: ]Ɋ& !X:! F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=018653bb-075d-41cf-87a7-11c54a0cf19f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=et-X**X!: ]Ɋ& !X:! F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=018653bb-075d-41cf-87a7-11c54a0cf19f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dNX**!: ]Ɋ& !:! F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=018653bb-075d-41cf-87a7-11c54a0cf19f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=655bbd0b-d533-49d3-89cc-abb8fbc69397 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on**X"4 : ]Ɋ&  !X4 :" F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fe6307c3-dd20-4337-b26f-8127be7a8fd0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=XpeX ]Ɋ& CoX4 :" F&h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnk""""& wFMu=VysMc&&**x"4 : ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! U!X4 :" F&F%g>9{p(xlMD EventDatauoData !Binary EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fe6307c3-dd20-4337-b26f-8127be7a8fd0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x**p"4 : ]Ɋ&  !X4 :" F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fe6307c3-dd20-4337-b26f-8127be7a8fd0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Xp**h"4 : ]Ɋ&  !X4 :" F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fe6307c3-dd20-4337-b26f-8127be7a8fd0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**h"4 : ]Ɋ&  !X4 :" F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fe6307c3-dd20-4337-b26f-8127be7a8fd0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h"4 : ]Ɋ&  !X4 :" F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fe6307c3-dd20-4337-b26f-8127be7a8fd0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= !h**"4 : ]Ɋ&  !4 :" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fe6307c3-dd20-4337-b26f-8127be7a8fd0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=f005c8ff-02a9-481a-a56f-48d8ee722963 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ver**" !: ]Ɋ& ! !:" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=fe6307c3-dd20-4337-b26f-8127be7a8fd0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=f005c8ff-02a9-481a-a56f-48d8ee722963 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X"y): ]Ɋ&  !Xy):" F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f74d64c4-a094-4ce3-99a6-f741ee36f4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erX**p "y): ]Ɋ&  !Xy): " F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f74d64c4-a094-4ce3-99a6-f741ee36f4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**p "y): ]Ɋ&  !Xy): " F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f74d64c4-a094-4ce3-99a6-f741ee36f4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ex $p**h "y): ]Ɋ&  !Xy): " F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f74d64c4-a094-4ce3-99a6-f741ee36f4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Geh**h "y): ]Ɋ&  !Xy): " F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f74d64c4-a094-4ce3-99a6-f741ee36f4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mandh**h "y): ]Ɋ&  !Xy): " F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f74d64c4-a094-4ce3-99a6-f741ee36f4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d18h**"y): ]Ɋ&  !y):" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f74d64c4-a094-4ce3-99a6-f741ee36f4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=8a64dd32-6ef9-423c-b018-5f5756a8ca49 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omm**"*: ]Ɋ& !*:" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f74d64c4-a094-4ce3-99a6-f741ee36f4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=8a64dd32-6ef9-423c-b018-5f5756a8ca49 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a** "*: ]Ɋ& w !X*:" F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5b2c54c4-a360-4bfd-8fa3-aaa33274f842 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **8"*: ]Ɋ&  !X*:" F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5b2c54c4-a360-4bfd-8fa3-aaa33274f842 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8 Ignore and  ]Ɋ&  X*:" F&ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=XpeX ]Ɋ& CoX4 :" F&h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnk""""""`~B:#Mu=VysMc&&**8"*: ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X*:" F&F%g>9{p(xlMD EventDatauoData !Binaryh FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5b2c54c4-a360-4bfd-8fa3-aaa33274f842 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**0"*: ]Ɋ&  !X*:" F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5b2c54c4-a360-4bfd-8fa3-aaa33274f842 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0"*: ]Ɋ&  !X*:" F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5b2c54c4-a360-4bfd-8fa3-aaa33274f842 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P0**0"*: ]Ɋ&  !X*:" F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5b2c54c4-a360-4bfd-8fa3-aaa33274f842 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gi0**"*: ]Ɋ&  !*:" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5b2c54c4-a360-4bfd-8fa3-aaa33274f842 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=72aaa0ab-0eda-4d78-9852-cc4685b9fd42 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== **"3*: ]Ɋ&  !3*:" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=5b2c54c4-a360-4bfd-8fa3-aaa33274f842 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=72aaa0ab-0eda-4d78-9852-cc4685b9fd42 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==f00**"3*: ]Ɋ&  !X3*:" F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5f1739cc-dd2a-4152-860b-fa4a01ecc1f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n=4.**"3*: ]Ɋ&  !X3*:" F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5f1739cc-dd2a-4152-860b-fa4a01ecc1f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=aceI**"3*: ]Ɋ& !X3*:" F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5f1739cc-dd2a-4152-860b-fa4a01ecc1f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== **"3*: ]Ɋ&  !X3*:" F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5f1739cc-dd2a-4152-860b-fa4a01ecc1f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **"3*: ]Ɋ&  !X3*:" F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5f1739cc-dd2a-4152-860b-fa4a01ecc1f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**"3*: ]Ɋ&  !X3*:" F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5f1739cc-dd2a-4152-860b-fa4a01ecc1f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**"3*: ]Ɋ& O!3*:" F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5f1739cc-dd2a-4152-860b-fa4a01ecc1f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=e54afd51-8e38-4875-b529-0f2938ccbc64 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=v**"B+: ]Ɋ& [!B+:" F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5f1739cc-dd2a-4152-860b-fa4a01ecc1f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=e54afd51-8e38-4875-b529-0f2938ccbc64 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ed **8 "`+: ]Ɋ&  !X`+: " F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=84caa593-2d19-452f-b6bd-9874e73c19da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ma8 **P !"`+: ]Ɋ&  !X`+:!" F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=84caa593-2d19-452f-b6bd-9874e73c19da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P **P ""`+: ]Ɋ&  !X`+:"" F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=84caa593-2d19-452f-b6bd-9874e73c19da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ltIPP teway -and $ ]Ɋ&  X`+:#" F&ddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8 Ignore and  ]Ɋ&  X*:" F&ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=XpeX ]Ɋ& CoX4 :" F&h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnk#"8"#"8"0y=Mu=VysMc&&**H#"`+: ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! ) !X`+:#" F&F%g>9{p(xlMD EventDatauoData !Binaryv FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=84caa593-2d19-452f-b6bd-9874e73c19da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**H $"`+: ]Ɋ&  !X`+:$" F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=84caa593-2d19-452f-b6bd-9874e73c19da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ObjeH **H %"`+: ]Ɋ&  !X`+:%" F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=84caa593-2d19-452f-b6bd-9874e73c19da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2_NH ** &"s,: ]Ɋ&  !s,:&" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=84caa593-2d19-452f-b6bd-9874e73c19da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=df93d764-8fb9-49fc-8d13-11cb4bb355ff PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= | ** '"s,: ]Ɋ&  !s,:'" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=84caa593-2d19-452f-b6bd-9874e73c19da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=df93d764-8fb9-49fc-8d13-11cb4bb355ff PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** ("s,: ]Ɋ& w !Xs,:(" F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fb6bbbac-c1e7-4aba-9383-6e36c970bb2d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a **8)"s,: ]Ɋ&  !Xs,:)" F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fb6bbbac-c1e7-4aba-9383-6e36c970bb2d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8*"s,: ]Ɋ&  !Xs,:*" F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fb6bbbac-c1e7-4aba-9383-6e36c970bb2d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { 8**0+"s,: ]Ɋ&  !Xs,:+" F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fb6bbbac-c1e7-4aba-9383-6e36c970bb2d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s 0**0,"s,: ]Ɋ&  !Xs,:," F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fb6bbbac-c1e7-4aba-9383-6e36c970bb2d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=kNa0**0-"s,: ]Ɋ&  !Xs,:-" F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fb6bbbac-c1e7-4aba-9383-6e36c970bb2d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=st0**."s,: ]Ɋ&  !s,:." F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fb6bbbac-c1e7-4aba-9383-6e36c970bb2d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=380d3c74-e970-44b6-b443-d273ef362536 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sh**/" -: ]Ɋ&  ! -:/" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=fb6bbbac-c1e7-4aba-9383-6e36c970bb2d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=380d3c74-e970-44b6-b443-d273ef362536 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lth **0" -: ]Ɋ& K!X -:0" F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9b058db7-fed5-49f5-962f-8ea25540f7b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=RNI**1" -: ]Ɋ& c!X -:1" F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9b058db7-fed5-49f5-962f-8ea25540f7b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=top**2" -: ]Ɋ& _!X -:2" F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9b058db7-fed5-49f5-962f-8ea25540f7b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c**3" -: ]Ɋ& W!X -:3" F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9b058db7-fed5-49f5-962f-8ea25540f7b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**4" -: ]Ɋ& W!X -:4" F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9b058db7-fed5-49f5-962f-8ea25540f7b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**5" -: ]Ɋ& Y!X -:5" F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9b058db7-fed5-49f5-962f-8ea25540f7b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X6" -: ]Ɋ& ! -:6" F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9b058db7-fed5-49f5-962f-8ea25540f7b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=1bb4d6e7-ce27-4629-91d5-b36437739763 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=et-CX**`7" -: ]Ɋ& ! -:7" F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9b058db7-fed5-49f5-962f-8ea25540f7b3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=1bb4d6e7-ce27-4629-91d5-b36437739763 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tN`** 8" -: ]Ɋ& w !X -:8" F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=cf59c12d-c586-4b4a-8b54-9dcc379708a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `+: ]Ɋ&  X -:9" F&ngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8 Ignore and  ]Ɋ&  X*:" F&ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=XpeX ]Ɋ& CoX4 :" F&h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnk9"K"9"K"Hy#B3Mu=VysMc&&**@9" -: ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X -:9" F&F%g>9{p(xlMD EventDatauoData !Binaryl EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=cf59c12d-c586-4b4a-8b54-9dcc379708a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er@**8:" -: ]Ɋ&  !X -::" F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=cf59c12d-c586-4b4a-8b54-9dcc379708a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=caa8**0;" -: ]Ɋ&  !X -:;" F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=cf59c12d-c586-4b4a-8b54-9dcc379708a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ass0**0<" -: ]Ɋ&  !X -:<" F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=cf59c12d-c586-4b4a-8b54-9dcc379708a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Add0**0=" -: ]Ɋ&  !X -:=" F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=cf59c12d-c586-4b4a-8b54-9dcc379708a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-D0**>" -: ]Ɋ&  ! -:>" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=cf59c12d-c586-4b4a-8b54-9dcc379708a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=01d359d7-c94e-4966-a407-114a1ea33e1e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-**?"#-: ]Ɋ&  !#-:?" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=cf59c12d-c586-4b4a-8b54-9dcc379708a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=01d359d7-c94e-4966-a407-114a1ea33e1e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($ro** @"#-: ]Ɋ&  !X#-:@" F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=de1cdf0e-0d05-4c1f-b549-09d4dcaf7589 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** A"#-: ]Ɋ&  !X#-:A" F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=de1cdf0e-0d05-4c1f-b549-09d4dcaf7589 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a ** B"#-: ]Ɋ&  !X#-:B" F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=de1cdf0e-0d05-4c1f-b549-09d4dcaf7589 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** C"#-: ]Ɋ&  !X#-:C" F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=de1cdf0e-0d05-4c1f-b549-09d4dcaf7589 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** D"#-: ]Ɋ&  !X#-:D" F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=de1cdf0e-0d05-4c1f-b549-09d4dcaf7589 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= | ** E"#-: ]Ɋ&  !X#-:E" F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=de1cdf0e-0d05-4c1f-b549-09d4dcaf7589 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti ** F"#-: ]Ɋ& e !#-:F" F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=de1cdf0e-0d05-4c1f-b549-09d4dcaf7589 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=18f1901a-c147-47ca-852c-acb1259b6b80 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bb **XG"=.: ]Ɋ&  !X=.:G" F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ea9f6cb3-8e66-4ce0-b7c9-fc163fb9c8be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**pH"=.: ]Ɋ&  !X=.:H" F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ea9f6cb3-8e66-4ce0-b7c9-fc163fb9c8be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cep**pI"=.: ]Ɋ&  !X=.:I" F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ea9f6cb3-8e66-4ce0-b7c9-fc163fb9c8be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**hJ"=.: ]Ɋ&  !X=.:J" F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ea9f6cb3-8e66-4ce0-b7c9-fc163fb9c8be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NonIh**hK"=.: ]Ɋ&  !X=.:K" F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ea9f6cb3-8e66-4ce0-b7c9-fc163fb9c8be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y -ah $_.MACAddre ]Ɋ&  X=.:L" F&in32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `+: ]Ɋ&  X -:9" F&ngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8 Ignore and  ]Ɋ&  X*:" F&ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=XpeX ]Ɋ& CoX4 :" F&h ]Ɋ&  X8U! F& CommandPath= CommandLine=ElfChnkL"f"L"f"IMÉMu=VysMc&&**hL"=.: ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! K!X=.:L" F&F%g>9{p(xlMD EventDatauoData !Binary VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ea9f6cb3-8e66-4ce0-b7c9-fc163fb9c8be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**M"=.: ]Ɋ&  !=.:M" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ea9f6cb3-8e66-4ce0-b7c9-fc163fb9c8be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c0a65df1-ef9f-4557-ad9f-43677ed8a7d4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**N"=.: ]Ɋ& !=.:N" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ea9f6cb3-8e66-4ce0-b7c9-fc163fb9c8be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c0a65df1-ef9f-4557-ad9f-43677ed8a7d4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**XO"=.: ]Ɋ&  !X=.:O" F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=51c104e0-adfc-450e-84a9-168bed9330b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ncX**pP"=.: ]Ɋ&  !X=.:P" F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=51c104e0-adfc-450e-84a9-168bed9330b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lep**pQ"=.: ]Ɋ&  !X=.:Q" F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=51c104e0-adfc-450e-84a9-168bed9330b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Hop**hR"=.: ]Ɋ&  !X=.:R" F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=51c104e0-adfc-450e-84a9-168bed9330b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r=1 h**hS"=.: ]Ɋ&  !X=.:S" F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=51c104e0-adfc-450e-84a9-168bed9330b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=puteh**hT"=.: ]Ɋ&  !X=.:T" F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=51c104e0-adfc-450e-84a9-168bed9330b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=derh**U"=.: ]Ɋ&  !=.:U" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=51c104e0-adfc-450e-84a9-168bed9330b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=eef178b4-b90e-4329-bcf7-1d2fc5ab6b93 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ter** V"=.: ]Ɋ& q !=.:V" F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=de1cdf0e-0d05-4c1f-b549-09d4dcaf7589 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=18f1901a-c147-47ca-852c-acb1259b6b80 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o.Cs **W"=.: ]Ɋ& !=.:W" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=51c104e0-adfc-450e-84a9-168bed9330b7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=eef178b4-b90e-4329-bcf7-1d2fc5ab6b93 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X"=.: ]Ɋ& 7!X=.:X" F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4ff38a42-93b3-4543-ac5f-ac7ac7376b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**Y"=.: ]Ɋ& O!X=.:Y" F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4ff38a42-93b3-4543-ac5f-ac7ac7376b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$**Z"=.: ]Ɋ& K!X=.:Z" F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4ff38a42-93b3-4543-ac5f-ac7ac7376b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th **["=.: ]Ɋ& C!X=.:[" F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4ff38a42-93b3-4543-ac5f-ac7ac7376b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f (**\"=.: ]Ɋ& C!X=.:\" F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4ff38a42-93b3-4543-ac5f-ac7ac7376b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9c8**]"=.: ]Ɋ& E!X=.:]" F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4ff38a42-93b3-4543-ac5f-ac7ac7376b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xt**@^"=.: ]Ɋ& !=.:^" F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4ff38a42-93b3-4543-ac5f-ac7ac7376b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=eeae7827-39ab-451b-b41c-37d727199247 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dL@**P_"P.: ]Ɋ& !P.:_" F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4ff38a42-93b3-4543-ac5f-ac7ac7376b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=eeae7827-39ab-451b-b41c-37d727199247 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e.SuP**`"0: ]Ɋ&  !0:`" F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=018653bb-075d-41cf-87a7-11c54a0cf19f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=655bbd0b-d533-49d3-89cc-abb8fbc69397 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **Ha": ]Ɋ& !X:a" F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=10280180-3e13-4dff-848b-209d0c0b3cf7 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tH**`b": ]Ɋ& !X:b" F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=10280180-3e13-4dff-848b-209d0c0b3cf7 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=M`**`c": ]Ɋ& !X:c" F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=10280180-3e13-4dff-848b-209d0c0b3cf7 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y {`**Xd": ]Ɋ& !X:d" F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=10280180-3e13-4dff-848b-209d0c0b3cf7 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**Xe": ]Ɋ& !X:e" F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=10280180-3e13-4dff-848b-209d0c0b3cf7 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**Xf": ]Ɋ& !X:f" F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=10280180-3e13-4dff-848b-209d0c0b3cf7 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X" F& ]Ɋ& :g" F&8U! F& CommandPath= CommandLine=ElfChnkg""g""@`# %JfMu=VysMc&&**g": ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !:g" F&F%g>9{p(xlMD EventDatauoData !BinaryAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=10280180-3e13-4dff-848b-209d0c0b3cf7 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=8deb256d-c166-431d-b316-dcf64fcb74e9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pat**h"TD: ]Ɋ& K!XTD:h" F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5e726fef-a1b0-4fb4-804e-7e172d31c12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$e**i"TD: ]Ɋ& c!XTD:i" F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5e726fef-a1b0-4fb4-804e-7e172d31c12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n=p**j"TD: ]Ɋ& _!XTD:j" F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5e726fef-a1b0-4fb4-804e-7e172d31c12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**k"TD: ]Ɋ& W!XTD:k" F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5e726fef-a1b0-4fb4-804e-7e172d31c12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **l"TD: ]Ɋ& W!XTD:l" F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5e726fef-a1b0-4fb4-804e-7e172d31c12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.**m"TD: ]Ɋ& Y!XTD:m" F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5e726fef-a1b0-4fb4-804e-7e172d31c12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **Xn"TD: ]Ɋ& !TD:n" F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5e726fef-a1b0-4fb4-804e-7e172d31c12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=0c96e706-4af5-4036-a39d-f03e56af62a9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $enX**`o"TD: ]Ɋ& !TD:o" F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5e726fef-a1b0-4fb4-804e-7e172d31c12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=0c96e706-4af5-4036-a39d-f03e56af62a9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** p"TD: ]Ɋ& w !XTD:p" F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c89a9390-845b-4eae-84d4-b8625d283874 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **8q"TD: ]Ɋ&  !XTD:q" F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c89a9390-845b-4eae-84d4-b8625d283874 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8r"TD: ]Ɋ&  !XTD:r" F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c89a9390-845b-4eae-84d4-b8625d283874 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct-8**0s"TD: ]Ɋ&  !XTD:s" F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c89a9390-845b-4eae-84d4-b8625d283874 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lue0**0t"TD: ]Ɋ&  !XTD:t" F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c89a9390-845b-4eae-84d4-b8625d283874 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ns 0**0u"TD: ]Ɋ&  !XTD:u" F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c89a9390-845b-4eae-84d4-b8625d283874 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**v"TD: ]Ɋ&  !TD:v" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c89a9390-845b-4eae-84d4-b8625d283874 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=58780cc4-13c0-4403-8413-67540c33cd0b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Co**w": ]Ɋ&  !:w" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=c89a9390-845b-4eae-84d4-b8625d283874 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=58780cc4-13c0-4403-8413-67540c33cd0b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** x": ]Ɋ&  !X:x" F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7d2aebeb-66ca-4112-a14d-a6ee6b4dcd25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** y": ]Ɋ&  !X:y" F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7d2aebeb-66ca-4112-a14d-a6ee6b4dcd25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n ** z": ]Ɋ&  !X:z" F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7d2aebeb-66ca-4112-a14d-a6ee6b4dcd25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ate ** {": ]Ɋ&  !X:{" F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7d2aebeb-66ca-4112-a14d-a6ee6b4dcd25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iou ** |": ]Ɋ&  !X:|" F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7d2aebeb-66ca-4112-a14d-a6ee6b4dcd25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=all ** }": ]Ɋ&  !X:}" F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7d2aebeb-66ca-4112-a14d-a6ee6b4dcd25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in ** ~": ]Ɋ& e !:~" F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7d2aebeb-66ca-4112-a14d-a6ee6b4dcd25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=4340a74d-e10a-4c92-9fc7-244331df1858 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** "u: ]Ɋ& q !u:" F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7d2aebeb-66ca-4112-a14d-a6ee6b4dcd25 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=4340a74d-e10a-4c92-9fc7-244331df1858 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Host =10280180-3e ]Ɋ& erXu:" F&Profile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X" F& ]Ɋ& :g" F&8U! F& CommandPath= CommandLine=ElfChnk""""q@cJtMu=VysMc&&** "u: ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !Xu:" F&F%g>9{p(xlMD EventDatauoData !BinaryAliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=01ff0019-7ec4-4191-a75b-4568e3cebf9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rt **"u: ]Ɋ& O!Xu:" F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=01ff0019-7ec4-4191-a75b-4568e3cebf9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**"u: ]Ɋ& K!Xu:" F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=01ff0019-7ec4-4191-a75b-4568e3cebf9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **"u: ]Ɋ& C!Xu:" F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=01ff0019-7ec4-4191-a75b-4568e3cebf9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Fun**"u: ]Ɋ& C!Xu:" F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=01ff0019-7ec4-4191-a75b-4568e3cebf9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=der**"u: ]Ɋ& E!Xu:" F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=01ff0019-7ec4-4191-a75b-4568e3cebf9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **@"u: ]Ɋ& !u:" F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=01ff0019-7ec4-4191-a75b-4568e3cebf9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=a116bcb1-c7c2-4188-8379-1c5ad305877f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=re@**P": ]Ɋ& !:" F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=01ff0019-7ec4-4191-a75b-4568e3cebf9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=a116bcb1-c7c2-4188-8379-1c5ad305877f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ped P**"&5: ]Ɋ&  !&5:" F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=10280180-3e13-4dff-848b-209d0c0b3cf7 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=8deb256d-c166-431d-b316-dcf64fcb74e9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omma**H"Z; ]Ɋ& !XZ;" F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9b47f9e1-6378-439b-a8c3-86f1bdd3181a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=)H**`"Z; ]Ɋ& !XZ;" F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9b47f9e1-6378-439b-a8c3-86f1bdd3181a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`"Z; ]Ɋ& !XZ;" F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9b47f9e1-6378-439b-a8c3-86f1bdd3181a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**X"Z; ]Ɋ& !XZ;" F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9b47f9e1-6378-439b-a8c3-86f1bdd3181a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-ExX**X"Z; ]Ɋ& !XZ;" F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9b47f9e1-6378-439b-a8c3-86f1bdd3181a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=essX**X"Z; ]Ɋ& !XZ;" F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9b47f9e1-6378-439b-a8c3-86f1bdd3181a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t X**"Z; ]Ɋ& !Z;" F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9b47f9e1-6378-439b-a8c3-86f1bdd3181a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=05c7dc3f-fa4f-4525-a070-6519174be85d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.0**"; ]Ɋ& K!X;" F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fea50a29-4842-4eaf-9dbf-573de739f44a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **"; ]Ɋ& c!X;" F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fea50a29-4842-4eaf-9dbf-573de739f44a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **"; ]Ɋ& _!X;" F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fea50a29-4842-4eaf-9dbf-573de739f44a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **"; ]Ɋ& W!X;" F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fea50a29-4842-4eaf-9dbf-573de739f44a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=|**"; ]Ɋ& W!X;" F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fea50a29-4842-4eaf-9dbf-573de739f44a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=N**"; ]Ɋ& Y!X;" F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fea50a29-4842-4eaf-9dbf-573de739f44a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on S**X"; ]Ɋ& !;" F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fea50a29-4842-4eaf-9dbf-573de739f44a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=d251b07a-3316-4bb0-9ab4-cddf021fef27 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ost X**`"; ]Ɋ& !;" F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=fea50a29-4842-4eaf-9dbf-573de739f44a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=d251b07a-3316-4bb0-9ab4-cddf021fef27 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= c`** "; ]Ɋ& w !X;" F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d4a47ee6-a8be-4a92-878e-91067595843b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8"; ]Ɋ&  !X;" F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d4a47ee6-a8be-4a92-878e-91067595843b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=M8**8"; ]Ɋ&  !X;" F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d4a47ee6-a8be-4a92-878e-91067595843b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mai8**0"; ]Ɋ&  !X;" F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d4a47ee6-a8be-4a92-878e-91067595843b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a140**0"; ]Ɋ&  !X;" F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d4a47ee6-a8be-4a92-878e-91067595843b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ain0**0"; ]Ɋ&  !X;" F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d4a47ee6-a8be-4a92-878e-91067595843b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=vi0**"; ]Ɋ&  !;" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d4a47ee6-a8be-4a92-878e-91067595843b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f2f52107-d460-44e8-bf10-44f68c7c3c47 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=co**"I; ]Ɋ&  !I;" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=d4a47ee6-a8be-4a92-878e-91067595843b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f2f52107-d460-44e8-bf10-44f68c7c3c47 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  ]Ɋ& leXI;" F&dowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X" F& ]Ɋ& :g" F&8U! F& CommandPath= CommandLine=ElfChnk""""`2Mu=VysMc&&** "I; ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !XI;" F&F%g>9{p(xlMD EventDatauoData !BinaryAliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=04ddb70f-3f14-4fb5-8185-cdd7191045fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le ** "I; ]Ɋ&  !XI;" F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=04ddb70f-3f14-4fb5-8185-cdd7191045fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** "I; ]Ɋ&  !XI;" F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=04ddb70f-3f14-4fb5-8185-cdd7191045fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and ** "I; ]Ɋ&  !XI;" F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=04ddb70f-3f14-4fb5-8185-cdd7191045fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nre ** "I; ]Ɋ&  !XI;" F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=04ddb70f-3f14-4fb5-8185-cdd7191045fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=& ** "I; ]Ɋ&  !XI;" F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=04ddb70f-3f14-4fb5-8185-cdd7191045fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rt ** "I; ]Ɋ& e !I;" F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=04ddb70f-3f14-4fb5-8185-cdd7191045fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c1a3db95-9fdc-4e65-b5c1-92cf849ffe0f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= - ** "E; ]Ɋ& q !E;" F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=04ddb70f-3f14-4fb5-8185-cdd7191045fd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c1a3db95-9fdc-4e65-b5c1-92cf849ffe0f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ame= **"E; ]Ɋ& 7!XE;" F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=828bea27-b3be-40cf-9a31-490aa18a8885 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**"E; ]Ɋ& O!XE;" F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=828bea27-b3be-40cf-9a31-490aa18a8885 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P**"E; ]Ɋ& K!XE;" F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=828bea27-b3be-40cf-9a31-490aa18a8885 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tem**"E; ]Ɋ& C!XE;" F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=828bea27-b3be-40cf-9a31-490aa18a8885 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**"E; ]Ɋ& C!XE;" F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=828bea27-b3be-40cf-9a31-490aa18a8885 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= F**"E; ]Ɋ& E!XE;" F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=828bea27-b3be-40cf-9a31-490aa18a8885 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine="**@"E; ]Ɋ& !E;" F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=828bea27-b3be-40cf-9a31-490aa18a8885 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8aea524f-7756-4db4-9b8d-bfef2feba24f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e@**P"E; ]Ɋ& !E;" F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=828bea27-b3be-40cf-9a31-490aa18a8885 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8aea524f-7756-4db4-9b8d-bfef2feba24f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oppeP**",; ]Ɋ&  !,;" F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9b47f9e1-6378-439b-a8c3-86f1bdd3181a HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=05c7dc3f-fa4f-4525-a070-6519174be85d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-9ab**H"`8< ]Ɋ& !X`8<" F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=44c9345e-e0c9-4e9d-adaf-339163bfefde HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tH**`"`8< ]Ɋ& !X`8<" F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=44c9345e-e0c9-4e9d-adaf-339163bfefde HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`"`8< ]Ɋ& !X`8<" F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=44c9345e-e0c9-4e9d-adaf-339163bfefde HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s }`**X"`8< ]Ɋ& !X`8<" F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=44c9345e-e0c9-4e9d-adaf-339163bfefde HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=helX**X"`8< ]Ɋ& !X`8<" F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=44c9345e-e0c9-4e9d-adaf-339163bfefde HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= iX**X"`8< ]Ɋ& !X`8<" F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=44c9345e-e0c9-4e9d-adaf-339163bfefde HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**"`8< ]Ɋ& !`8<" F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=44c9345e-e0c9-4e9d-adaf-339163bfefde HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=71aa2481-0216-447e-8b60-bbb570aa9624 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ho**X"N8< ]Ɋ&  !XN8<" F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=57413544-8b41-40f6-a0f4-002412e8e21b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p"N8< ]Ɋ&  !XN8<" F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=57413544-8b41-40f6-a0f4-002412e8e21b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=7ep**p"N8< ]Ɋ&  !XN8<" F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=57413544-8b41-40f6-a0f4-002412e8e21b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=43b p**h"N8< ]Ɋ&  !XN8<" F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=57413544-8b41-40f6-a0f4-002412e8e21b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=shelh**h"N8< ]Ɋ&  !XN8<" F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=57413544-8b41-40f6-a0f4-002412e8e21b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tApph**h"N8< ]Ɋ&  !XN8<" F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=57413544-8b41-40f6-a0f4-002412e8e21b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=manhine=X ]Ɋ& N8<" F& F&8U! F& CommandPath= CommandLine=ElfChnk""""g$;,̀Mu=VysMc&&**"N8< ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !N8<" F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=57413544-8b41-40f6-a0f4-002412e8e21b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d7f10e7c-ba6d-4f54-9904-2e6882df5265 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**"9< ]Ɋ& !9<" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=57413544-8b41-40f6-a0f4-002412e8e21b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d7f10e7c-ba6d-4f54-9904-2e6882df5265 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X"B< ]Ɋ&  !XB<" F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e09ec187-e577-446c-b173-dd7a061d269a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=drX**p"B< ]Ɋ&  !XB<" F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e09ec187-e577-446c-b173-dd7a061d269a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=p**p"B< ]Ɋ&  !XB<" F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e09ec187-e577-446c-b173-dd7a061d269a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=daptp**h"B< ]Ɋ&  !XB<" F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e09ec187-e577-446c-b173-dd7a061d269a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oProh**h"B< ]Ɋ&  !XB<" F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e09ec187-e577-446c-b173-dd7a061d269a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**h"B< ]Ɋ&  !XB<" F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e09ec187-e577-446c-b173-dd7a061d269a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ameh**"B< ]Ɋ&  !B<" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e09ec187-e577-446c-b173-dd7a061d269a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=9831354d-7f72-4cda-9d3f-6106b27ebc2b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=5c7**"B< ]Ɋ& !B<" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e09ec187-e577-446c-b173-dd7a061d269a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=9831354d-7f72-4cda-9d3f-6106b27ebc2b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** "B< ]Ɋ& w !XB<" F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6c54852b-1dde-426e-92db-78f1990074d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8"B< ]Ɋ&  !XB<" F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6c54852b-1dde-426e-92db-78f1990074d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8"B< ]Ɋ&  !XB<" F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6c54852b-1dde-426e-92db-78f1990074d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nce8**0"B< ]Ɋ&  !XB<" F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6c54852b-1dde-426e-92db-78f1990074d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0"B< ]Ɋ&  !XB<" F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6c54852b-1dde-426e-92db-78f1990074d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ced0**0"B< ]Ɋ&  !XB<" F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6c54852b-1dde-426e-92db-78f1990074d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**"B< ]Ɋ&  !B<" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6c54852b-1dde-426e-92db-78f1990074d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3356b134-af59-4ea3-bc21-8e5c97babf99 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($uTyped.Enhan ]Ɋ& uTMC<" F&ach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=manhine=X ]Ɋ& N8<" F& F&8U! F& CommandPath= CommandLine=ElfChnk"""" Cxf3Mu=VysMc&&**"MC< ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! q!MC<" F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=6c54852b-1dde-426e-92db-78f1990074d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3356b134-af59-4ea3-bc21-8e5c97babf99 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**"C< ]Ɋ&  !XC<" F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3e3fce66-1974-46fa-b795-dcda2270a037 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Name**"C< ]Ɋ&  !XC<" F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3e3fce66-1974-46fa-b795-dcda2270a037 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=B**"C< ]Ɋ& !XC<" F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3e3fce66-1974-46fa-b795-dcda2270a037 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**"C< ]Ɋ&  !XC<" F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3e3fce66-1974-46fa-b795-dcda2270a037 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**"C< ]Ɋ&  !XC<" F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3e3fce66-1974-46fa-b795-dcda2270a037 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=st**"C< ]Ɋ&  !XC<" F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3e3fce66-1974-46fa-b795-dcda2270a037 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l**"C< ]Ɋ& O!C<" F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3e3fce66-1974-46fa-b795-dcda2270a037 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=f59f3f3a-17d8-4f82-8dec-e6bc4a48f5b1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**"C< ]Ɋ& [!C<" F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=3e3fce66-1974-46fa-b795-dcda2270a037 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=f59f3f3a-17d8-4f82-8dec-e6bc4a48f5b1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==e0**"D< ]Ɋ& K!XD<" F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b393ca44-44dd-4dc3-a61b-99b086fa92cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=et **"D< ]Ɋ& c!XD<" F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b393ca44-44dd-4dc3-a61b-99b086fa92cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=06b**"D< ]Ɋ& _!XD<" F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b393ca44-44dd-4dc3-a61b-99b086fa92cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**"D< ]Ɋ& W!XD<" F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b393ca44-44dd-4dc3-a61b-99b086fa92cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=j**"D< ]Ɋ& W!XD<" F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b393ca44-44dd-4dc3-a61b-99b086fa92cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **"D< ]Ɋ& Y!XD<" F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b393ca44-44dd-4dc3-a61b-99b086fa92cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y { **X"D< ]Ɋ& !D<" F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b393ca44-44dd-4dc3-a61b-99b086fa92cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=4f164f9e-449d-4759-8edc-9129e3bca72a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==StaX**`"D< ]Ɋ& !D<" F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b393ca44-44dd-4dc3-a61b-99b086fa92cf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=4f164f9e-449d-4759-8edc-9129e3bca72a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.M`** "D< ]Ɋ& w !XD<" F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c4aaf26c-64db-47ac-a524-660f702f12b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a **8"D< ]Ɋ&  !XD<" F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c4aaf26c-64db-47ac-a524-660f702f12b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t8**8"D< ]Ɋ&  !XD<" F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c4aaf26c-64db-47ac-a524-660f702f12b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er.8**0"D< ]Ɋ&  !XD<" F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c4aaf26c-64db-47ac-a524-660f702f12b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ter0acAddress  ]Ɋ&  XD<" F&try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3356b134-af59-4ea3-bc21-8e5c97babf99 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($uTyped.Enhan ]Ɋ& uTMC<" F&ach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=manhine=X ]Ɋ& N8<" F& F&8U! F& CommandPath= CommandLine=ElfChnk""""hxKXMu=VysMc&&**0"D< ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XD<" F&F%g>9{p(xlMD EventDatauoData !Binary` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c4aaf26c-64db-47ac-a524-660f702f12b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0"D< ]Ɋ&  !XD<" F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c4aaf26c-64db-47ac-a524-660f702f12b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=un0**"D< ]Ɋ&  !D<" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c4aaf26c-64db-47ac-a524-660f702f12b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d2555ade-62aa-4e47-a3d6-577499323f55 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" **8 "}E< ]Ɋ&  !X}E<" F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f118ff81-60ff-4d8e-937d-f6fba8b9a7b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e 8 **P "}E< ]Ɋ&  !X}E<" F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f118ff81-60ff-4d8e-937d-f6fba8b9a7b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nuP **P "}E< ]Ɋ&  !X}E<" F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f118ff81-60ff-4d8e-937d-f6fba8b9a7b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_TasP **H "}E< ]Ɋ&  !X}E<" F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f118ff81-60ff-4d8e-937d-f6fba8b9a7b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e $tH **H "}E< ]Ɋ&  !X}E<" F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f118ff81-60ff-4d8e-937d-f6fba8b9a7b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tputH **H "}E< ]Ɋ&  !X}E<" F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f118ff81-60ff-4d8e-937d-f6fba8b9a7b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=artH ** "}E< ]Ɋ&  !}E<" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f118ff81-60ff-4d8e-937d-f6fba8b9a7b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=a6a7385a-0a46-4504-ae8e-2e1d704b873d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-eq ** "}E< ]Ɋ&  !}E<" F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f118ff81-60ff-4d8e-937d-f6fba8b9a7b9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=a6a7385a-0a46-4504-ae8e-2e1d704b873d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n ** "=F< ]Ɋ& w !X=F<" F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=63a8679b-b48f-4f09-a807-94baa47eb2b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d **8"=F< ]Ɋ&  !X=F<" F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=63a8679b-b48f-4f09-a807-94baa47eb2b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i8**8"=F< ]Ɋ&  !X=F<" F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=63a8679b-b48f-4f09-a807-94baa47eb2b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 1 8**0"=F< ]Ɋ&  !X=F<" F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=63a8679b-b48f-4f09-a807-94baa47eb2b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=irs0**0"=F< ]Ɋ&  !X=F<" F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=63a8679b-b48f-4f09-a807-94baa47eb2b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Fi0**0"=F< ]Ɋ&  !X=F<" F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=63a8679b-b48f-4f09-a807-94baa47eb2b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Fi0**"=F< ]Ɋ&  !=F<" F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=63a8679b-b48f-4f09-a807-94baa47eb2b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=778244c6-c5f2-4f05-b6ce-382750eec079 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk" #" # YZzMu=VysMc&&**"=F< ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! q!=F<" F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=63a8679b-b48f-4f09-a807-94baa47eb2b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=778244c6-c5f2-4f05-b6ce-382750eec079 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**"ԮF< ]Ɋ& K!XԮF<" F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=aac167d5-9802-4430-bdd0-c2b03ae8fa22 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ent**"ԮF< ]Ɋ& c!XԮF<" F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=aac167d5-9802-4430-bdd0-c2b03ae8fa22 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Fir**"ԮF< ]Ɋ& _!XԮF<" F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=aac167d5-9802-4430-bdd0-c2b03ae8fa22 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine='**"ԮF< ]Ɋ& W!XԮF<" F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=aac167d5-9802-4430-bdd0-c2b03ae8fa22 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=|**"ԮF< ]Ɋ& W!XԮF<" F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=aac167d5-9802-4430-bdd0-c2b03ae8fa22 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **"ԮF< ]Ɋ& Y!XԮF<" F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=aac167d5-9802-4430-bdd0-c2b03ae8fa22 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=*') **X"ԮF< ]Ɋ& !ԮF<" F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=aac167d5-9802-4430-bdd0-c2b03ae8fa22 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=a7f24398-72cd-43c4-9009-1a3dcc3c2a85 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=arteX**`"ԮF< ]Ɋ& !ԮF<" F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=aac167d5-9802-4430-bdd0-c2b03ae8fa22 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=a7f24398-72cd-43c4-9009-1a3dcc3c2a85 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** "ԮF< ]Ɋ& w !XԮF<" F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=20b217f9-0f88-4da6-9d31-0c937a4acab1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=- **8#ԮF< ]Ɋ&  !XԮF<# F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=20b217f9-0f88-4da6-9d31-0c937a4acab1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a8**8#ԮF< ]Ɋ&  !XԮF<# F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=20b217f9-0f88-4da6-9d31-0c937a4acab1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Dat8**0#ԮF< ]Ɋ&  !XԮF<# F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=20b217f9-0f88-4da6-9d31-0c937a4acab1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sho0**0#ԮF< ]Ɋ&  !XԮF<# F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=20b217f9-0f88-4da6-9d31-0c937a4acab1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cti0**0#ԮF< ]Ɋ&  !XԮF<# F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=20b217f9-0f88-4da6-9d31-0c937a4acab1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d 0**#ԮF< ]Ɋ&  !ԮF<# F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=20b217f9-0f88-4da6-9d31-0c937a4acab1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=24447193-550a-4db6-a7d9-0f608fba0a22 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in**#jGG< ]Ɋ&  !jGG<# F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=20b217f9-0f88-4da6-9d31-0c937a4acab1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=24447193-550a-4db6-a7d9-0f608fba0a22 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Comm** #jGG< ]Ɋ&  !XjGG<# F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c1e3065c-aa14-406f-be78-a1abbbe881bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** #jGG< ]Ɋ&  !XjGG<# F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c1e3065c-aa14-406f-be78-a1abbbe881bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s ** #jGG< ]Ɋ&  !XjGG< # F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c1e3065c-aa14-406f-be78-a1abbbe881bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** #jGG< ]Ɋ&  !XjGG< # F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c1e3065c-aa14-406f-be78-a1abbbe881bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Net ** #jGG< ]Ɋ&  !XjGG< # F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c1e3065c-aa14-406f-be78-a1abbbe881bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=try ** #jGG< ]Ɋ&  !XjGG< # F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c1e3065c-aa14-406f-be78-a1abbbe881bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ou ** #jGG< ]Ɋ& e !jGG< # F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c1e3065c-aa14-406f-be78-a1abbbe881bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=2394f0c9-ca74-4066-b9a6-fe1b47d2621a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=g  Get-WmiObjec ]Ɋ& erXjGG<# F&$_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=778244c6-c5f2-4f05-b6ce-382750eec079 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk####hDŽ`Mu=VysMc&&**`#jGG< ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! =!XjGG<# F&F%g>9{p(xlMD EventDatauoData !Binary AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e5bd18f1-7874-44ee-8be8-22c2035c6171 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndP`**p#jGG< ]Ɋ&  !XjGG<# F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e5bd18f1-7874-44ee-8be8-22c2035c6171 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=osp**p#jGG< ]Ɋ&  !XjGG<# F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e5bd18f1-7874-44ee-8be8-22c2035c6171 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sk"}p**h#jGG< ]Ɋ&  !XjGG<# F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e5bd18f1-7874-44ee-8be8-22c2035c6171 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h#jGG< ]Ɋ&  !XjGG<# F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e5bd18f1-7874-44ee-8be8-22c2035c6171 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= # ih**h#jGG< ]Ɋ&  !XjGG<# F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e5bd18f1-7874-44ee-8be8-22c2035c6171 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ih**#jGG< ]Ɋ&  !jGG<# F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e5bd18f1-7874-44ee-8be8-22c2035c6171 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=8f7828c2-b0d2-4e6b-9174-6f5fe2f5b50e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ror**#jGG< ]Ɋ& !jGG<# F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e5bd18f1-7874-44ee-8be8-22c2035c6171 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=8f7828c2-b0d2-4e6b-9174-6f5fe2f5b50e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2**X#G< ]Ɋ&  !XG<# F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ee426aee-e0f0-4c58-bbcd-dd074bd2abf3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fiX**p#G< ]Ɋ&  !XG<# F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ee426aee-e0f0-4c58-bbcd-dd074bd2abf3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=IPp**p#G< ]Ɋ&  !XG<# F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ee426aee-e0f0-4c58-bbcd-dd074bd2abf3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tewap**h#G< ]Ɋ&  !XG<# F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ee426aee-e0f0-4c58-bbcd-dd074bd2abf3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and h**h#G< ]Ɋ&  !XG<# F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ee426aee-e0f0-4c58-bbcd-dd074bd2abf3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=&h**h#G< ]Ɋ&  !XG<# F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ee426aee-e0f0-4c58-bbcd-dd074bd2abf3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=verh** #G< ]Ɋ& q !G<# F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c1e3065c-aa14-406f-be78-a1abbbe881bc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=2394f0c9-ca74-4066-b9a6-fe1b47d2621a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **#G< ]Ɋ&  !G<# F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ee426aee-e0f0-4c58-bbcd-dd074bd2abf3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=37ea3444-f5c7-4c1d-9d61-0225b0ab3329 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d **#G< ]Ɋ& !G<# F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ee426aee-e0f0-4c58-bbcd-dd074bd2abf3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=37ea3444-f5c7-4c1d-9d61-0225b0ab3329 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**#G< ]Ɋ& 7!XG<# F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b984d1c8-2cb4-4025-8c22-34d195f84d21 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  ignore }  ]Ɋ& nsXG< # F&e-382750eec079 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk #C# #C#uMu=VysMc&&** #G< ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XG< # F&F%g>9{p(xlMD EventDatauoData !Binary,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b984d1c8-2cb4-4025-8c22-34d195f84d21 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$( **!#G< ]Ɋ& K!XG<!# F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b984d1c8-2cb4-4025-8c22-34d195f84d21 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ig**"#G< ]Ɋ& C!XG<"# F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b984d1c8-2cb4-4025-8c22-34d195f84d21 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=TH **##G< ]Ɋ& C!XG<## F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b984d1c8-2cb4-4025-8c22-34d195f84d21 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) {**$#G< ]Ɋ& E!XG<$# F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b984d1c8-2cb4-4025-8c22-34d195f84d21 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=id**@%#G< ]Ɋ& !G<%# F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b984d1c8-2cb4-4025-8c22-34d195f84d21 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=fd6d12a0-a219-4d11-a705-6c06ecb0b997 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=' @**P&#G< ]Ɋ& !G<&# F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b984d1c8-2cb4-4025-8c22-34d195f84d21 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=fd6d12a0-a219-4d11-a705-6c06ecb0b997 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=neVeP**'#K=M< ]Ɋ&  !K=M<'# F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=44c9345e-e0c9-4e9d-adaf-339163bfefde HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=71aa2481-0216-447e-8b60-bbb570aa9624 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=issi**(#O< ]Ɋ& U!XO<(# F&2AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5c2da7f8-a0ef-450a-b337-c1ab3042d306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2.**)#O< ]Ɋ& m!XO<)# F&JEnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5c2da7f8-a0ef-450a-b337-c1ab3042d306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ***#O< ]Ɋ& i!XO<*# F&FFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5c2da7f8-a0ef-450a-b337-c1ab3042d306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ralP**+#O< ]Ɋ& a!XO<+# F&>FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5c2da7f8-a0ef-450a-b337-c1ab3042d306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **,#O< ]Ɋ& a!XO<,# F&>RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5c2da7f8-a0ef-450a-b337-c1ab3042d306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**-#O< ]Ɋ& c!XO<-# F&@VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5c2da7f8-a0ef-450a-b337-c1ab3042d306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Mes**`.#O< ]Ɋ& !O<.# F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5c2da7f8-a0ef-450a-b337-c1ab3042d306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=074c248c-11ed-45d5-a5eb-e62d1a3fe97c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nce`**h/#O< ]Ɋ& !O</# F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5c2da7f8-a0ef-450a-b337-c1ab3042d306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=074c248c-11ed-45d5-a5eb-e62d1a3fe97c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ih**H0#1< ]Ɋ& !X1<0# F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a703a6cd-521d-4770-86c6-b6975277c05d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$H**`1#1< ]Ɋ& !X1<1# F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a703a6cd-521d-4770-86c6-b6975277c05d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=]`**`2#1< ]Ɋ& !X1<2# F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a703a6cd-521d-4770-86c6-b6975277c05d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=#`**X3#1< ]Ɋ& !X1<3# F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a703a6cd-521d-4770-86c6-b6975277c05d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GetX**X4#1< ]Ɋ& !X1<4# F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a703a6cd-521d-4770-86c6-b6975277c05d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_.OX**X5#1< ]Ɋ& !X1<5# F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a703a6cd-521d-4770-86c6-b6975277c05d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=utX**6#1< ]Ɋ& !1<6# F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a703a6cd-521d-4770-86c6-b6975277c05d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=3e81e79e-2ae3-40ea-acf2-5efd218e8c83 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nc**7#< ]Ɋ& K!X<7# F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fdaf9e54-50d5-41f5-81a8-e412f8224cd2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ect**8#< ]Ɋ& c!X<8# F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fdaf9e54-50d5-41f5-81a8-e412f8224cd2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= F**9#< ]Ɋ& _!X<9# F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fdaf9e54-50d5-41f5-81a8-e412f8224cd2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**:#< ]Ɋ& W!X<:# F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fdaf9e54-50d5-41f5-81a8-e412f8224cd2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$**;#< ]Ɋ& W!X<;# F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fdaf9e54-50d5-41f5-81a8-e412f8224cd2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **<#< ]Ɋ& Y!X<<# F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fdaf9e54-50d5-41f5-81a8-e412f8224cd2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=KeyU**X=#< ]Ɋ& !<=# F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fdaf9e54-50d5-41f5-81a8-e412f8224cd2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=8196f883-3c65-4b16-a8b4-a053e3f199dd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tAppX**`>#< ]Ɋ& !<># F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=fdaf9e54-50d5-41f5-81a8-e412f8224cd2 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=8196f883-3c65-4b16-a8b4-a053e3f199dd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-O`** ?#< ]Ɋ& w !X<?# F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a37f3253-d7ba-46e5-888e-1ffcee895731 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8@#< ]Ɋ&  !X<@# F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a37f3253-d7ba-46e5-888e-1ffcee895731 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8A#< ]Ɋ&  !X<A# F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a37f3253-d7ba-46e5-888e-1ffcee895731 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }8**0B#< ]Ɋ&  !X<B# F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a37f3253-d7ba-46e5-888e-1ffcee895731 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=# I0**0C#< ]Ɋ&  !X<C# F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a37f3253-d7ba-46e5-888e-1ffcee895731 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=jec0{ $_.Value } ]Ɋ&  X<D# F&k to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=37ea3444-f5c7-4c1d-9d61-0225b0ab3329 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**#G< ]Ɋ& 7!XG<# F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b984d1c8-2cb4-4025-8c22-34d195f84d21 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  ignore }  ]Ɋ& nsXG< # F&e-382750eec079 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnkD#e#D#e#c&$CMu=VysMc&&**8D#< ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X<D# F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a37f3253-d7ba-46e5-888e-1ffcee895731 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ica8**E#< ]Ɋ&  !<E# F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a37f3253-d7ba-46e5-888e-1ffcee895731 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f1351981-4b81-49ac-a688-989624ceed8c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ut**F#2< ]Ɋ&  !2<F# F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=a37f3253-d7ba-46e5-888e-1ffcee895731 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f1351981-4b81-49ac-a688-989624ceed8c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= New** G#2< ]Ɋ&  !X2<G# F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c72852f9-ccdb-4040-9aa3-42bd795bcfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** H#2< ]Ɋ&  !X2<H# F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c72852f9-ccdb-4040-9aa3-42bd795bcfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** I#2< ]Ɋ&  !X2<I# F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c72852f9-ccdb-4040-9aa3-42bd795bcfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=]Ɋ& ** J#2< ]Ɋ&  !X2<J# F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c72852f9-ccdb-4040-9aa3-42bd795bcfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nam ** K#2< ]Ɋ&  !X2<K# F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c72852f9-ccdb-4040-9aa3-42bd795bcfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C ** L#2< ]Ɋ&  !X2<L# F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c72852f9-ccdb-4040-9aa3-42bd795bcfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** M#2< ]Ɋ& e !2<M# F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c72852f9-ccdb-4040-9aa3-42bd795bcfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=23636f14-b04a-46e1-bd4c-be7936b9a4ad PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3a ** N#< ]Ɋ& q !<N# F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c72852f9-ccdb-4040-9aa3-42bd795bcfdf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=23636f14-b04a-46e1-bd4c-be7936b9a4ad PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Win3 **O#< ]Ɋ& 7!X<O# F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6ca4412f-35f1-4696-8ff9-bcf14dd0f383 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=G**P#< ]Ɋ& O!X<P# F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6ca4412f-35f1-4696-8ff9-bcf14dd0f383 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-**Q#< ]Ɋ& K!X<Q# F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6ca4412f-35f1-4696-8ff9-bcf14dd0f383 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ypa**R#< ]Ɋ& C!X<R# F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6ca4412f-35f1-4696-8ff9-bcf14dd0f383 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Pol**S#< ]Ɋ& C!X<S# F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6ca4412f-35f1-4696-8ff9-bcf14dd0f383 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Exe**T#< ]Ɋ& E!X<T# F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6ca4412f-35f1-4696-8ff9-bcf14dd0f383 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nt**@U#< ]Ɋ& !<U# F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6ca4412f-35f1-4696-8ff9-bcf14dd0f383 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=a83c516a-c748-4f56-beef-6d3d1f6cde01 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e @**PV#< ]Ɋ& !<V# F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6ca4412f-35f1-4696-8ff9-bcf14dd0f383 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=a83c516a-c748-4f56-beef-6d3d1f6cde01 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oProP**W# = ]Ɋ&  ! =W# F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a703a6cd-521d-4770-86c6-b6975277c05d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=3e81e79e-2ae3-40ea-acf2-5efd218e8c83 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dres**HX#t= ]Ɋ& !Xt=X# F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d60f0da7-ac7f-4799-b4b5-5a655db5e913 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tH**`Y#t= ]Ɋ& !Xt=Y# F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d60f0da7-ac7f-4799-b4b5-5a655db5e913 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e`**`Z#t= ]Ɋ& !Xt=Z# F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d60f0da7-ac7f-4799-b4b5-5a655db5e913 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eIn`**X[#t= ]Ɋ& !Xt=[# F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d60f0da7-ac7f-4799-b4b5-5a655db5e913 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=jecX**X\#t= ]Ɋ& !Xt=\# F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d60f0da7-ac7f-4799-b4b5-5a655db5e913 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= !X**X]#t= ]Ɋ& !Xt=]# F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d60f0da7-ac7f-4799-b4b5-5a655db5e913 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=maX**^#t= ]Ɋ& !t=^# F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d60f0da7-ac7f-4799-b4b5-5a655db5e913 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a097f54f-b37f-4dbc-90d4-c10c9f363edd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti**_#= ]Ɋ& K!X=_# F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ec92cec4-f4a4-43f6-9ce1-58429c38e181 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sta**`#= ]Ɋ& c!X=`# F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ec92cec4-f4a4-43f6-9ce1-58429c38e181 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-00**a#= ]Ɋ& _!X=a# F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ec92cec4-f4a4-43f6-9ce1-58429c38e181 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **b#= ]Ɋ& W!X=b# F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ec92cec4-f4a4-43f6-9ce1-58429c38e181 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**c#= ]Ɋ& W!X=c# F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ec92cec4-f4a4-43f6-9ce1-58429c38e181 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **d#= ]Ɋ& Y!X=d# F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ec92cec4-f4a4-43f6-9ce1-58429c38e181 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Name**Xe#= ]Ɋ& !=e# F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ec92cec4-f4a4-43f6-9ce1-58429c38e181 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=3b57980f-287d-45e3-8310-8f8b5ae4043d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X ]Ɋ&  =f# F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnkf#~#f#~#(x,YMu=VysMc&&**h f#= ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! E!=f# F&F%g>9{p(xlMD EventDatauoData !BinaryStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ec92cec4-f4a4-43f6-9ce1-58429c38e181 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=3b57980f-287d-45e3-8310-8f8b5ae4043d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Conh ** g#= ]Ɋ& w !X=g# F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b9d0b1b6-90e7-4fc1-8955-b4d9a57aff5d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S **8h#= ]Ɋ&  !X=h# F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b9d0b1b6-90e7-4fc1-8955-b4d9a57aff5d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**8i#= ]Ɋ&  !X=i# F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b9d0b1b6-90e7-4fc1-8955-b4d9a57aff5d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ge8**0j#= ]Ɋ&  !X=j# F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b9d0b1b6-90e7-4fc1-8955-b4d9a57aff5d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0k#= ]Ɋ&  !X=k# F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b9d0b1b6-90e7-4fc1-8955-b4d9a57aff5d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ssF0**0l#= ]Ɋ&  !X=l# F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b9d0b1b6-90e7-4fc1-8955-b4d9a57aff5d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**m#= ]Ɋ&  !=m# F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b9d0b1b6-90e7-4fc1-8955-b4d9a57aff5d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b9946037-01ca-4f56-91b4-54e276fff12d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ge**n#O= ]Ɋ&  !O=n# F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=b9d0b1b6-90e7-4fc1-8955-b4d9a57aff5d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b9946037-01ca-4f56-91b4-54e276fff12d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=":""** o#O= ]Ɋ&  !XO=o# F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4b0bcc82-8e36-4b83-99f8-b42b10f599ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x ** p#O= ]Ɋ&  !XO=p# F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4b0bcc82-8e36-4b83-99f8-b42b10f599ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** q#O= ]Ɋ&  !XO=q# F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4b0bcc82-8e36-4b83-99f8-b42b10f599ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rfa ** r#O= ]Ɋ&  !XO=r# F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4b0bcc82-8e36-4b83-99f8-b42b10f599ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-46 ** s#O= ]Ɋ&  !XO=s# F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4b0bcc82-8e36-4b83-99f8-b42b10f599ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d3d ** t#O= ]Ɋ&  !XO=t# F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4b0bcc82-8e36-4b83-99f8-b42b10f599ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Li ** u#O= ]Ɋ& e !O=u# F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4b0bcc82-8e36-4b83-99f8-b42b10f599ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=77e08bdb-3384-4326-8f99-193b18489f33 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ta ** v#&= ]Ɋ& q !&=v# F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4b0bcc82-8e36-4b83-99f8-b42b10f599ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=77e08bdb-3384-4326-8f99-193b18489f33 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cuti **w#&= ]Ɋ& 7!X&=w# F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=551db70d-8f59-48e0-a7de-512e95527b06 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**x#&= ]Ɋ& O!X&=x# F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=551db70d-8f59-48e0-a7de-512e95527b06 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**y#&= ]Ɋ& K!X&=y# F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=551db70d-8f59-48e0-a7de-512e95527b06 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nam**z#&= ]Ɋ& C!X&=z# F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=551db70d-8f59-48e0-a7de-512e95527b06 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eId**{#&= ]Ɋ& C!X&={# F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=551db70d-8f59-48e0-a7de-512e95527b06 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pi**|#&= ]Ɋ& E!X&=|# F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=551db70d-8f59-48e0-a7de-512e95527b06 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ce**@}#&= ]Ɋ& !&=}# F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=551db70d-8f59-48e0-a7de-512e95527b06 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8b77d7de-e0b6-4431-9313-df95a0fcb7a9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@**P~#&= ]Ɋ& !&=~# F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=551db70d-8f59-48e0-a7de-512e95527b06 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8b77d7de-e0b6-4431-9313-df95a0fcb7a9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mandPme= Comman ]Ɋ& ne޲=# F&  =f# F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk####`8_-(hnMu=VysMc&&**#޲= ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !޲=# F&F%g>9{p(xlMD EventDatauoData !BinaryStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d60f0da7-ac7f-4799-b4b5-5a655db5e913 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a097f54f-b37f-4dbc-90d4-c10c9f363edd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **H#P> ]Ɋ& !XP># F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a3eaa028-4bab-42fa-91bd-a1e042ed4937 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xH**`#P> ]Ɋ& !XP># F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a3eaa028-4bab-42fa-91bd-a1e042ed4937 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n`**`#P> ]Ɋ& !XP># F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a3eaa028-4bab-42fa-91bd-a1e042ed4937 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s W`**X#P> ]Ɋ& !XP># F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a3eaa028-4bab-42fa-91bd-a1e042ed4937 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ostX**X#P> ]Ɋ& !XP># F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a3eaa028-4bab-42fa-91bd-a1e042ed4937 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dapX**X#P> ]Ɋ& !XP># F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a3eaa028-4bab-42fa-91bd-a1e042ed4937 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tiX**#P> ]Ɋ& !P># F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a3eaa028-4bab-42fa-91bd-a1e042ed4937 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=4e3f2b9e-eb8a-4de3-a59b-b3c462d522b6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FӨ**X#hjQ> ]Ɋ&  !XhjQ># F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d280a984-eacf-4b02-96c1-82b579468715 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tiX**p#hjQ> ]Ɋ&  !XhjQ># F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d280a984-eacf-4b02-96c1-82b579468715 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=trp**p#hjQ> ]Ɋ&  !XhjQ># F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d280a984-eacf-4b02-96c1-82b579468715 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= p**h#hjQ> ]Ɋ&  !XhjQ># F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d280a984-eacf-4b02-96c1-82b579468715 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hosth**h#hjQ> ]Ɋ&  !XhjQ># F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d280a984-eacf-4b02-96c1-82b579468715 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=enceh**h#hjQ> ]Ɋ&  !XhjQ># F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d280a984-eacf-4b02-96c1-82b579468715 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Sh**#hjQ> ]Ɋ&  !hjQ># F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d280a984-eacf-4b02-96c1-82b579468715 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6f3e92ff-3dc0-40c9-a2a5-fc78953c67b4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rIn**#hjQ> ]Ɋ& !hjQ># F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d280a984-eacf-4b02-96c1-82b579468715 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6f3e92ff-3dc0-40c9-a2a5-fc78953c67b4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**X#Z> ]Ɋ&  !XZ># F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d36572b0-4527-47b0-b759-dbd0342545ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rIX**p#Z> ]Ɋ&  !XZ># F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d36572b0-4527-47b0-b759-dbd0342545ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=vap**p#Z> ]Ɋ&  !XZ># F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d36572b0-4527-47b0-b759-dbd0342545ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s +=p**h#Z> ]Ɋ&  !XZ># F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d36572b0-4527-47b0-b759-dbd0342545ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Seleh**h#Z> ]Ɋ&  !XZ># F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d36572b0-4527-47b0-b759-dbd0342545ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h#Z> ]Ɋ&  !XZ># F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d36572b0-4527-47b0-b759-dbd0342545ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=manh try {  ]Ɋ& nrZ># F&dress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8b77d7de-e0b6-4431-9313-df95a0fcb7a9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@**P~#&= ]Ɋ& !&=~# F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=551db70d-8f59-48e0-a7de-512e95527b06 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=8b77d7de-e0b6-4431-9313-df95a0fcb7a9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mandPme= Comman ]Ɋ& ne޲=# F&  =f# F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk####6e75Mu=VysMc&&**#Z> ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !Z># F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d36572b0-4527-47b0-b759-dbd0342545ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=370921ff-f83e-42a8-b579-4c196484f4b5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**#Z> ]Ɋ& !Z># F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d36572b0-4527-47b0-b759-dbd0342545ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=370921ff-f83e-42a8-b579-4c196484f4b5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:** #Z> ]Ɋ& w !XZ># F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=970172fd-c653-4a0e-bdaf-cdfe5156867f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2 **8#Z> ]Ɋ&  !XZ># F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=970172fd-c653-4a0e-bdaf-cdfe5156867f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y8**8#Z> ]Ɋ&  !XZ># F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=970172fd-c653-4a0e-bdaf-cdfe5156867f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**0#Z> ]Ɋ&  !XZ># F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=970172fd-c653-4a0e-bdaf-cdfe5156867f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== $0**0#Z> ]Ɋ&  !XZ># F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=970172fd-c653-4a0e-bdaf-cdfe5156867f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ert0**0#Z> ]Ɋ&  !XZ># F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=970172fd-c653-4a0e-bdaf-cdfe5156867f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eq0**#Z> ]Ɋ&  !Z># F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=970172fd-c653-4a0e-bdaf-cdfe5156867f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=40ae8c3b-ab64-44ce-b177-7ef9308aff55 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-a**#g[> ]Ɋ&  !g[># F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=970172fd-c653-4a0e-bdaf-cdfe5156867f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=40ae8c3b-ab64-44ce-b177-7ef9308aff55 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if (**#g[> ]Ɋ&  !Xg[># F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a9f1f496-d68b-41f4-8f7d-320674e4b28e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= if**#g[> ]Ɋ&  !Xg[># F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a9f1f496-d68b-41f4-8f7d-320674e4b28e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sig.**#g[> ]Ɋ& !Xg[># F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a9f1f496-d68b-41f4-8f7d-320674e4b28e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rt**#g[> ]Ɋ&  !Xg[># F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a9f1f496-d68b-41f4-8f7d-320674e4b28e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **#g[> ]Ɋ&  !Xg[># F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a9f1f496-d68b-41f4-8f7d-320674e4b28e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ge**#g[> ]Ɋ&  !Xg[># F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a9f1f496-d68b-41f4-8f7d-320674e4b28e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **#g[> ]Ɋ& O!g[># F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a9f1f496-d68b-41f4-8f7d-320674e4b28e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=64b0ea2e-873f-4d6c-abcb-58fc1c5020bd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-95a0fcb7a9  ]Ɋ& ri$\># F&andLine=mandPme= Comman ]Ɋ& ne޲=# F&  =f# F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk####p$OMu=VysMc&&**#$\> ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !$\># F&F%g>9{p(xlMD EventDatauoData !Binary8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a9f1f496-d68b-41f4-8f7d-320674e4b28e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=64b0ea2e-873f-4d6c-abcb-58fc1c5020bd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**`#Ha> ]Ɋ& !XHa># F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e3166339-2641-46a1-8747-2731b04fcd32 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-rzw5nsb0.ysw.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th `**x#Ha> ]Ɋ& !XHa># F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e3166339-2641-46a1-8747-2731b04fcd32 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-rzw5nsb0.ysw.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 1 x**p#Ha> ]Ɋ& !XHa># F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e3166339-2641-46a1-8747-2731b04fcd32 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-rzw5nsb0.ysw.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=op**h#Ha> ]Ɋ& !XHa># F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e3166339-2641-46a1-8747-2731b04fcd32 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-rzw5nsb0.ysw.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**h#Ha> ]Ɋ& !XHa># F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e3166339-2641-46a1-8747-2731b04fcd32 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-rzw5nsb0.ysw.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**p#Ha> ]Ɋ& !XHa># F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e3166339-2641-46a1-8747-2731b04fcd32 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-rzw5nsb0.ysw.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_.p**#Ha> ]Ɋ& !Ha># F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e3166339-2641-46a1-8747-2731b04fcd32 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-rzw5nsb0.ysw.ps1 EngineVersion=4.0 RunspaceId=f0026968-c7f4-4653-b6a0-5885767da461 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ecut**#Ha> ]Ɋ& !Ha># F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=e3166339-2641-46a1-8747-2731b04fcd32 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-rzw5nsb0.ysw.ps1 EngineVersion=4.0 RunspaceId=f0026968-c7f4-4653-b6a0-5885767da461 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** #Ha> ]Ɋ& w !XHa># F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=28f8e69e-8363-4a90-aabd-5174a5638f87 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) **8#Ha> ]Ɋ&  !XHa># F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=28f8e69e-8363-4a90-aabd-5174a5638f87 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8#Ha> ]Ɋ&  !XHa># F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=28f8e69e-8363-4a90-aabd-5174a5638f87 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**0#Ha> ]Ɋ&  !XHa># F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=28f8e69e-8363-4a90-aabd-5174a5638f87 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0#Ha> ]Ɋ&  !XHa># F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=28f8e69e-8363-4a90-aabd-5174a5638f87 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0#Ha> ]Ɋ&  !XHa># F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=28f8e69e-8363-4a90-aabd-5174a5638f87 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=da0**#Ha> ]Ɋ&  !Ha># F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=28f8e69e-8363-4a90-aabd-5174a5638f87 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d92e6477-3666-4ea8-a114-d77e552c7a2e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **#b> ]Ɋ&  !b># F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=28f8e69e-8363-4a90-aabd-5174a5638f87 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d92e6477-3666-4ea8-a114-d77e552c7a2e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=re t** #b> ]Ɋ&  !Xb># F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8a3deaad-4393-4ebc-ba36-7446aa6f669d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= - ** #b> ]Ɋ&  !Xb># F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8a3deaad-4393-4ebc-ba36-7446aa6f669d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** #b> ]Ɋ&  !Xb># F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8a3deaad-4393-4ebc-ba36-7446aa6f669d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rror ** #b> ]Ɋ&  !Xb># F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8a3deaad-4393-4ebc-ba36-7446aa6f669d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mCla ** #b> ]Ɋ&  !Xb># F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8a3deaad-4393-4ebc-ba36-7446aa6f669d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r Wi ** #b> ]Ɋ&  !Xb># F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8a3deaad-4393-4ebc-ba36-7446aa6f669d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=hCh ** #b> ]Ɋ& ; !b># F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8a3deaad-4393-4ebc-ba36-7446aa6f669d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=38e1996d-a8a9-490c-9acd-c6186332d70e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  Ɋ& ]Ɋ& b># F&me= Comman ]Ɋ& ne޲=# F&  =f# F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk####0.3,"Mu=VysMc&&**#b> ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !b># F&F%g>9{p(xlMD EventDatauoData !BinaryStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a3eaa028-4bab-42fa-91bd-a1e042ed4937 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=4e3f2b9e-eb8a-4de3-a59b-b3c462d522b6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=I** #ub> ]Ɋ& G !ub># F&$ StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8a3deaad-4393-4ebc-ba36-7446aa6f669d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=38e1996d-a8a9-490c-9acd-c6186332d70e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H **X#8}d> ]Ɋ&  !X8}d># F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=78f5c655-d5db-4b1e-a07f-8ff26a0525a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=heX**p#8}d> ]Ɋ&  !X8}d># F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=78f5c655-d5db-4b1e-a07f-8ff26a0525a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-bp**p#8}d> ]Ɋ&  !X8}d># F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=78f5c655-d5db-4b1e-a07f-8ff26a0525a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d fap**h#8}d> ]Ɋ&  !X8}d># F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=78f5c655-d5db-4b1e-a07f-8ff26a0525a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$mach**h#8}d> ]Ɋ&  !X8}d># F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=78f5c655-d5db-4b1e-a07f-8ff26a0525a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-Coh**h#8}d> ]Ɋ&  !X8}d># F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=78f5c655-d5db-4b1e-a07f-8ff26a0525a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rorh**#8}d> ]Ɋ&  !8}d># F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=78f5c655-d5db-4b1e-a07f-8ff26a0525a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=44596eb2-8442-40f8-aeef-de84fdd546be PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e W**#8}d> ]Ɋ& !8}d># F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=78f5c655-d5db-4b1e-a07f-8ff26a0525a5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=44596eb2-8442-40f8-aeef-de84fdd546be PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.** #8}d> ]Ɋ& w !X8}d># F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ff43cb65-e448-4ab9-9267-b9207d02bb91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d **8#8}d> ]Ɋ&  !X8}d># F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ff43cb65-e448-4ab9-9267-b9207d02bb91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C8**8#8}d> ]Ɋ&  !X8}d># F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ff43cb65-e448-4ab9-9267-b9207d02bb91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ask8**0#8}d> ]Ɋ&  !X8}d># F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ff43cb65-e448-4ab9-9267-b9207d02bb91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sta0**0#8}d> ]Ɋ&  !X8}d># F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ff43cb65-e448-4ab9-9267-b9207d02bb91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Sc0**0#8}d> ]Ɋ&  !X8}d># F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ff43cb65-e448-4ab9-9267-b9207d02bb91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {0**#8}d> ]Ɋ&  !8}d># F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ff43cb65-e448-4ab9-9267-b9207d02bb91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ed88b0a1-2ece-4328-ba10-3276a36dd003 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er**#e> ]Ɋ&  !e># F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=ff43cb65-e448-4ab9-9267-b9207d02bb91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ed88b0a1-2ece-4328-ba10-3276a36dd003 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ɋ& ]Ɋ& Xdo># F&me= Comman ]Ɋ& ne޲=# F&  =f# F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk####qrMu=VysMc&&**`#do> ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! =!Xdo># F&F%g>9{p(xlMD EventDatauoData !Binary AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=efc8adfc-78e0-44cd-a362-b84b17c88ef9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) +`**p#do> ]Ɋ&  !Xdo># F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=efc8adfc-78e0-44cd-a362-b84b17c88ef9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=typ**p#do> ]Ɋ&  !Xdo># F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=efc8adfc-78e0-44cd-a362-b84b17c88ef9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mptyp**h#do> ]Ɋ&  !Xdo># F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=efc8adfc-78e0-44cd-a362-b84b17c88ef9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= emph**h#do> ]Ɋ&  !Xdo># F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=efc8adfc-78e0-44cd-a362-b84b17c88ef9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= emph**h#do> ]Ɋ&  !Xdo># F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=efc8adfc-78e0-44cd-a362-b84b17c88ef9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=emph**#do> ]Ɋ&  !do># F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=efc8adfc-78e0-44cd-a362-b84b17c88ef9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=9eb58ec1-3975-4e49-a7b4-d11c4878ede6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **#do> ]Ɋ& !do># F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=efc8adfc-78e0-44cd-a362-b84b17c88ef9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=9eb58ec1-3975-4e49-a7b4-d11c4878ede6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X#z> ]Ɋ&  !Xz># F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=09944cf9-7f7d-4142-abbc-6d9914194c74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p#z> ]Ɋ&  !Xz># F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=09944cf9-7f7d-4142-abbc-6d9914194c74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rep**p#z> ]Ɋ&  !Xz># F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=09944cf9-7f7d-4142-abbc-6d9914194c74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rst p**h#z> ]Ɋ&  !Xz># F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=09944cf9-7f7d-4142-abbc-6d9914194c74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ $mh**h#z> ]Ɋ&  !Xz># F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=09944cf9-7f7d-4142-abbc-6d9914194c74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } ch**h#z> ]Ɋ&  !Xz># F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=09944cf9-7f7d-4142-abbc-6d9914194c74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ih**#z> ]Ɋ&  !z># F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=09944cf9-7f7d-4142-abbc-6d9914194c74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ec313cc2-be1a-4049-beb6-7031ee449876 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C**#z> ]Ɋ& !z># F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=09944cf9-7f7d-4142-abbc-6d9914194c74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ec313cc2-be1a-4049-beb6-7031ee449876 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r** ##{> ]Ɋ& w !X#{># F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6d29e8de-9cc5-49c1-897e-0cea9e1914bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d 03 Pipelin ]Ɋ& = X#{># F& Ɋ& ]Ɋ& Xdo># F&me= Comman ]Ɋ& ne޲=# F&  =f# F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk####Pv.aMu=VysMc&&**@##{> ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X#{># F&F%g>9{p(xlMD EventDatauoData !Binaryl EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6d29e8de-9cc5-49c1-897e-0cea9e1914bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=om@**8##{> ]Ɋ&  !X#{># F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6d29e8de-9cc5-49c1-897e-0cea9e1914bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Scr8**0##{> ]Ɋ&  !X#{># F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6d29e8de-9cc5-49c1-897e-0cea9e1914bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Com0**0##{> ]Ɋ&  !X#{># F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6d29e8de-9cc5-49c1-897e-0cea9e1914bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Run0**0##{> ]Ɋ&  !X#{># F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6d29e8de-9cc5-49c1-897e-0cea9e1914bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=it0**##{> ]Ɋ&  !#{># F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6d29e8de-9cc5-49c1-897e-0cea9e1914bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=88fe35f9-46a2-4791-9bc2-d9a35b85821e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ng**#&{> ]Ɋ&  !&{># F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=6d29e8de-9cc5-49c1-897e-0cea9e1914bd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=88fe35f9-46a2-4791-9bc2-d9a35b85821e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ru**#&{> ]Ɋ&  !X&{># F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=61ed0874-1bfa-4d8e-8c6f-98f24606dd39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Engi**#&{> ]Ɋ&  !X&{># F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=61ed0874-1bfa-4d8e-8c6f-98f24606dd39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ion=**#&{> ]Ɋ& !X&{># F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=61ed0874-1bfa-4d8e-8c6f-98f24606dd39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C**#&{> ]Ɋ&  !X&{># F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=61ed0874-1bfa-4d8e-8c6f-98f24606dd39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= S**#&{> ]Ɋ&  !X&{># F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=61ed0874-1bfa-4d8e-8c6f-98f24606dd39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mm**#&{> ]Ɋ&  !X&{># F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=61ed0874-1bfa-4d8e-8c6f-98f24606dd39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**#&{> ]Ɋ& O!&{># F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=61ed0874-1bfa-4d8e-8c6f-98f24606dd39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=27a8c4af-1637-4bc1-9d12-14288cdd6377 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**#T|> ]Ɋ& [!T|># F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=61ed0874-1bfa-4d8e-8c6f-98f24606dd39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=27a8c4af-1637-4bc1-9d12-14288cdd6377 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eSt**8 #ڀ> ]Ɋ&  !Xڀ># F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3e97d083-3a09-4e34-a3e5-a210cf407a01 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dN8 **P #ڀ> ]Ɋ&  !Xڀ># F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3e97d083-3a09-4e34-a3e5-a210cf407a01 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }P atch { # ]Ɋ& ioXڀ># F&= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d 03 Pipelin ]Ɋ& = X#{># F& Ɋ& ]Ɋ& Xdo># F&me= Comman ]Ɋ& ne޲=# F&  =f# F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk#$#$`a4Mu=VysMc&&**P#ڀ> ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! 1 !Xڀ># F&F%g>9{p(xlMD EventDatauoData !Binary~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3e97d083-3a09-4e34-a3e5-a210cf407a01 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nP**H #ڀ> ]Ɋ&  !Xڀ># F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3e97d083-3a09-4e34-a3e5-a210cf407a01 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ect-H **H #ڀ> ]Ɋ&  !Xڀ># F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3e97d083-3a09-4e34-a3e5-a210cf407a01 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= WinH **H #ڀ> ]Ɋ&  !Xڀ># F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3e97d083-3a09-4e34-a3e5-a210cf407a01 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd H ** #ڀ> ]Ɋ&  !ڀ># F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3e97d083-3a09-4e34-a3e5-a210cf407a01 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=62e40a3c-8d63-44cc-9e70-0066dec677b6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Cl ** #ڀ> ]Ɋ&  !ڀ># F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=3e97d083-3a09-4e34-a3e5-a210cf407a01 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=62e40a3c-8d63-44cc-9e70-0066dec677b6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=I ** #ڀ> ]Ɋ& w !Xڀ># F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2841a45d-9fe3-440d-9ebf-53bc4f021d05 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8#ڀ> ]Ɋ&  !Xڀ># F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2841a45d-9fe3-440d-9ebf-53bc4f021d05 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t8**8#ڀ> ]Ɋ&  !Xڀ># F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2841a45d-9fe3-440d-9ebf-53bc4f021d05 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Er8**0#ڀ> ]Ɋ&  !Xڀ># F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2841a45d-9fe3-440d-9ebf-53bc4f021d05 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= st0**0#ڀ> ]Ɋ&  !Xڀ># F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2841a45d-9fe3-440d-9ebf-53bc4f021d05 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Add0**0#ڀ> ]Ɋ&  !Xڀ># F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2841a45d-9fe3-440d-9ebf-53bc4f021d05 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= "0**#ڀ> ]Ɋ&  !ڀ># F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2841a45d-9fe3-440d-9ebf-53bc4f021d05 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=0d1871af-f047-4a67-9865-cdc99fa2f909 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=au**#p> ]Ɋ&  !p># F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=2841a45d-9fe3-440d-9ebf-53bc4f021d05 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=0d1871af-f047-4a67-9865-cdc99fa2f909 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gs w**$p> ]Ɋ& K!Xp>$ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=070baf65-d936-46ae-9527-0beaee1992e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ion**$p> ]Ɋ& c!Xp>$ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=070baf65-d936-46ae-9527-0beaee1992e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edu**$p> ]Ɋ& _!Xp>$ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=070baf65-d936-46ae-9527-0beaee1992e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**$p> ]Ɋ& W!Xp>$ F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=070baf65-d936-46ae-9527-0beaee1992e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**$p> ]Ɋ& W!Xp>$ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=070baf65-d936-46ae-9527-0beaee1992e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C**$p> ]Ɋ& Y!Xp>$ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=070baf65-d936-46ae-9527-0beaee1992e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=elin**X$p> ]Ɋ& !p>$ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=070baf65-d936-46ae-9527-0beaee1992e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=4e488d72-5828-46c3-9747-4497477c6552 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Id -X**`$> ]Ɋ& !>$ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=070baf65-d936-46ae-9527-0beaee1992e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=4e488d72-5828-46c3-9747-4497477c6552 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {` } } W ]Ɋ& ceX>$ F&me= CommandType= ScriptName= CommandPath= CommandLine= }P atch { # ]Ɋ& ioXڀ># F&= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d 03 Pipelin ]Ɋ& = X#{># F& Ɋ& ]Ɋ& Xdo># F&me= Comman ]Ɋ& ne޲=# F&  =f# F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk$$$$h5}0}sMu=VysMc&&**($> ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X>$ F&F%g>9{p(xlMD EventDatauoData !BinaryT AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=82170db3-9de0-43a1-83d0-605ac0fe9b5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S(**8 $> ]Ɋ&  !X> $ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=82170db3-9de0-43a1-83d0-605ac0fe9b5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=08**8 $> ]Ɋ&  !X> $ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=82170db3-9de0-43a1-83d0-605ac0fe9b5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nPo8**0 $> ]Ɋ&  !X> $ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=82170db3-9de0-43a1-83d0-605ac0fe9b5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 'M0**0 $> ]Ɋ&  !X> $ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=82170db3-9de0-43a1-83d0-605ac0fe9b5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ows0**0 $> ]Ɋ&  !X> $ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=82170db3-9de0-43a1-83d0-605ac0fe9b5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd0**$> ]Ɋ&  !>$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=82170db3-9de0-43a1-83d0-605ac0fe9b5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ca8a6aad-228b-4df6-aa62-997542ebb06d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tl**$> ]Ɋ&  !>$ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=82170db3-9de0-43a1-83d0-605ac0fe9b5e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ca8a6aad-228b-4df6-aa62-997542ebb06d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=utes** $J> ]Ɋ&  !XJ>$ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=153f4494-0121-4291-b0bc-3adc1638b4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r ** $J> ]Ɋ&  !XJ>$ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=153f4494-0121-4291-b0bc-3adc1638b4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=A ** $J> ]Ɋ&  !XJ>$ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=153f4494-0121-4291-b0bc-3adc1638b4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ntl ** $J> ]Ɋ&  !XJ>$ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=153f4494-0121-4291-b0bc-3adc1638b4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=41a ** $J> ]Ɋ&  !XJ>$ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=153f4494-0121-4291-b0bc-3adc1638b4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on ** $J> ]Ɋ&  !XJ>$ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=153f4494-0121-4291-b0bc-3adc1638b4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-n ** $J> ]Ɋ& e !J>$ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=153f4494-0121-4291-b0bc-3adc1638b4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=279b48bb-4ee2-4d75-8655-eb1043b9e6cb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ol **X$J> ]Ɋ&  !XJ>$ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ba74370f-6dea-416e-85db-7f510e62e779 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=veX**p$J> ]Ɋ&  !XJ>$ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ba74370f-6dea-416e-85db-7f510e62e779 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sop**p$J> ]Ɋ&  !XJ>$ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ba74370f-6dea-416e-85db-7f510e62e779 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uencp**h$J> ]Ɋ&  !XJ>$ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ba74370f-6dea-416e-85db-7f510e62e779 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_hediaType -eq ]Ɋ&  XJ>$ F&_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=4e488d72-5828-46c3-9747-4497477c6552 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {` } } W ]Ɋ& ceX>$ F&me= CommandType= ScriptName= CommandPath= CommandLine= }P atch { # ]Ɋ& ioXڀ># F&= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d 03 Pipelin ]Ɋ& = X#{># F& Ɋ& ]Ɋ& Xdo># F&me= Comman ]Ɋ& ne޲=# F&  =f# F&eId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=" F& ]Ɋ& CommandPath= Co=F<ElfChnk$3$$3$enO ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!XJ>$ F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ba74370f-6dea-416e-85db-7f510e62e779 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h$J> ]Ɋ&  !XJ>$ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ba74370f-6dea-416e-85db-7f510e62e779 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**$J> ]Ɋ&  !J>$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ba74370f-6dea-416e-85db-7f510e62e779 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=067fa300-2a74-4bff-afb1-dfda3725fdf2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rov** $J> ]Ɋ& q !J>$ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=153f4494-0121-4291-b0bc-3adc1638b4cd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=279b48bb-4ee2-4d75-8655-eb1043b9e6cb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } **$J> ]Ɋ& !J>$ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ba74370f-6dea-416e-85db-7f510e62e779 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=067fa300-2a74-4bff-afb1-dfda3725fdf2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**X $J> ]Ɋ&  !XJ> $ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c78bc732-52b8-4d6f-a60a-bea97e36858e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {X**p!$J> ]Ɋ&  !XJ>!$ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c78bc732-52b8-4d6f-a60a-bea97e36858e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=IPp**p"$J> ]Ɋ&  !XJ>"$ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c78bc732-52b8-4d6f-a60a-bea97e36858e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -anp**h#$J> ]Ɋ&  !XJ>#$ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c78bc732-52b8-4d6f-a60a-bea97e36858e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3adch**h$$J> ]Ɋ&  !XJ>$$ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c78bc732-52b8-4d6f-a60a-bea97e36858e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }h**h%$J> ]Ɋ&  !XJ>%$ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c78bc732-52b8-4d6f-a60a-bea97e36858e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eHoh**&$J> ]Ɋ&  !J>&$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c78bc732-52b8-4d6f-a60a-bea97e36858e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=205b3e5b-ebe4-4f27-86db-db7ddd64a0f3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erI**'$J> ]Ɋ& 7!XJ>'$ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=945f1cb2-f832-4186-b417-17093d6b4d9f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P**($J> ]Ɋ& O!XJ>($ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=945f1cb2-f832-4186-b417-17093d6b4d9f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:**)$J> ]Ɋ& K!XJ>)$ F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=945f1cb2-f832-4186-b417-17093d6b4d9f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $p***$J> ]Ɋ& C!XJ>*$ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=945f1cb2-f832-4186-b417-17093d6b4d9f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **+$J> ]Ɋ& C!XJ>+$ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=945f1cb2-f832-4186-b417-17093d6b4d9f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f51**,$J> ]Ɋ& E!XJ>,$ F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=945f1cb2-f832-4186-b417-17093d6b4d9f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sa**-$J> ]Ɋ& !J>-$ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c78bc732-52b8-4d6f-a60a-bea97e36858e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=205b3e5b-ebe4-4f27-86db-db7ddd64a0f3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u**@.$J> ]Ɋ& !J>.$ F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=945f1cb2-f832-4186-b417-17093d6b4d9f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=9ce795db-9f2b-495b-89fa-5412dd05cf98 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@**P/$4> ]Ɋ& !4>/$ F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=945f1cb2-f832-4186-b417-17093d6b4d9f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=9ce795db-9f2b-495b-89fa-5412dd05cf98 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GNERP**H0$ve'? ]Ɋ& !Xve'?0$ F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=02bf5389-ed84-4b5f-a558-d41e1e9f4512 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=UH**`1$ve'? ]Ɋ& !Xve'?1$ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=02bf5389-ed84-4b5f-a558-d41e1e9f4512 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e`**`2$ve'? ]Ɋ& !Xve'?2$ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=02bf5389-ed84-4b5f-a558-d41e1e9f4512 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mma`**X3$ve'? ]Ɋ& !Xve'?3$ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=02bf5389-ed84-4b5f-a558-d41e1e9f4512 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== Xo=F<ElfChnk4$N$4$N$H7 Mu=VysMc&&**X4$ve'? ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! ;!Xve'?4$ F&F%g>9{p(xlMD EventDatauoData !BinaryRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=02bf5389-ed84-4b5f-a558-d41e1e9f4512 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**X5$ve'? ]Ɋ& !Xve'?5$ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=02bf5389-ed84-4b5f-a558-d41e1e9f4512 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$X**6$ve'? ]Ɋ& !ve'?6$ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=02bf5389-ed84-4b5f-a558-d41e1e9f4512 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=4d10a068-d224-4239-a970-47d76f38be84 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **7$(? ]Ɋ&  !(?7$ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=02bf5389-ed84-4b5f-a558-d41e1e9f4512 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=4d10a068-d224-4239-a970-47d76f38be84 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h) {**8$8Q3? ]Ɋ& K!X8Q3?8$ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4ffe005b-740d-4907-8c4c-16eead84cb1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **9$8Q3? ]Ɋ& c!X8Q3?9$ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4ffe005b-740d-4907-8c4c-16eead84cb1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Non**:$8Q3? ]Ɋ& _!X8Q3?:$ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4ffe005b-740d-4907-8c4c-16eead84cb1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**;$8Q3? ]Ɋ& W!X8Q3?;$ F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4ffe005b-740d-4907-8c4c-16eead84cb1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=)**<$8Q3? ]Ɋ& W!X8Q3?<$ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4ffe005b-740d-4907-8c4c-16eead84cb1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**=$8Q3? ]Ɋ& Y!X8Q3?=$ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4ffe005b-740d-4907-8c4c-16eead84cb1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=!**X>$8Q3? ]Ɋ& !8Q3?>$ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4ffe005b-740d-4907-8c4c-16eead84cb1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=6e0cc0a2-190a-494c-9546-d0cac5009526 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ate.X**`?$3? ]Ɋ& !3??$ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4ffe005b-740d-4907-8c4c-16eead84cb1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=6e0cc0a2-190a-494c-9546-d0cac5009526 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_.`** @$3? ]Ɋ& w !X3?@$ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3e9e4dee-c642-4543-a539-4b2516217a36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S **8A$3? ]Ɋ&  !X3?A$ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3e9e4dee-c642-4543-a539-4b2516217a36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8B$3? ]Ɋ&  !X3?B$ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3e9e4dee-c642-4543-a539-4b2516217a36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y l8**0C$3? ]Ɋ&  !X3?C$ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3e9e4dee-c642-4543-a539-4b2516217a36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ign0**0D$3? ]Ɋ&  !X3?D$ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3e9e4dee-c642-4543-a539-4b2516217a36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} c0**0E$3? ]Ɋ&  !X3?E$ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3e9e4dee-c642-4543-a539-4b2516217a36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**F$3? ]Ɋ&  !3?F$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3e9e4dee-c642-4543-a539-4b2516217a36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b89d9bbf-d054-4e0a-b375-4759f75d1f26 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **G$e4? ]Ɋ&  !e4?G$ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=3e9e4dee-c642-4543-a539-4b2516217a36 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b89d9bbf-d054-4e0a-b375-4759f75d1f26 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Sc** H$e4? ]Ɋ&  !Xe4?H$ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4e0de4e7-1576-4517-a5d0-5ed5cb0124b1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c ** I$e4? ]Ɋ&  !Xe4?I$ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4e0de4e7-1576-4517-a5d0-5ed5cb0124b1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d ** J$e4? ]Ɋ&  !Xe4?J$ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4e0de4e7-1576-4517-a5d0-5ed5cb0124b1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ite ** K$e4? ]Ɋ&  !Xe4?K$ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4e0de4e7-1576-4517-a5d0-5ed5cb0124b1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** L$e4? ]Ɋ&  !Xe4?L$ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4e0de4e7-1576-4517-a5d0-5ed5cb0124b1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=yer ** M$e4? ]Ɋ&  !Xe4?M$ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4e0de4e7-1576-4517-a5d0-5ed5cb0124b1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ic ** N$e4? ]Ɋ& e !e4?N$ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4e0de4e7-1576-4517-a5d0-5ed5cb0124b1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=a9d03d38-04b5-4cfe-84df-4f075538e97a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnkO$m$O$m$x5YMu=VysMc&&** O$e4? ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !e4?O$ F&F%g>9{p(xlMD EventDatauoData !BinaryN StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4e0de4e7-1576-4517-a5d0-5ed5cb0124b1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=a9d03d38-04b5-4cfe-84df-4f075538e97a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **P$5? ]Ɋ& 7!X5?P$ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f8185f98-bedf-4cc9-9531-553801576ec1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**Q$5? ]Ɋ& O!X5?Q$ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f8185f98-bedf-4cc9-9531-553801576ec1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**R$5? ]Ɋ& K!X5?R$ F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f8185f98-bedf-4cc9-9531-553801576ec1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=[PS**S$5? ]Ɋ& C!X5?S$ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f8185f98-bedf-4cc9-9531-553801576ec1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ach**T$5? ]Ɋ& C!X5?T$ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f8185f98-bedf-4cc9-9531-553801576ec1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} |**U$5? ]Ɋ& E!X5?U$ F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f8185f98-bedf-4cc9-9531-553801576ec1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -**@V$5? ]Ɋ& !5?V$ F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f8185f98-bedf-4cc9-9531-553801576ec1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=841fa7e2-65da-4b0c-9a70-2642d70b8cf2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SC@**PW$5? ]Ɋ& !5?W$ F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f8185f98-bedf-4cc9-9531-553801576ec1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=841fa7e2-65da-4b0c-9a70-2642d70b8cf2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ceIDP**HX$5? ]Ɋ& !X5?X$ F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=940b823f-42b8-4a5e-b2c6-49d7bebdbf2e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=4H**`Y$5? ]Ɋ& !X5?Y$ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=940b823f-42b8-4a5e-b2c6-49d7bebdbf2e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3`**`Z$5? ]Ɋ& !X5?Z$ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=940b823f-42b8-4a5e-b2c6-49d7bebdbf2e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ace`**X[$5? ]Ɋ& !X5?[$ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=940b823f-42b8-4a5e-b2c6-49d7bebdbf2e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l bX**X\$5? ]Ɋ& !X5?\$ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=940b823f-42b8-4a5e-b2c6-49d7bebdbf2e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } X**X]$5? ]Ɋ& !X5?]$ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=940b823f-42b8-4a5e-b2c6-49d7bebdbf2e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f X**^$5? ]Ɋ& !5?^$ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=940b823f-42b8-4a5e-b2c6-49d7bebdbf2e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=acd87d9f-96d1-48ba-8a00-cd1fddb03562 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **_$!? ]Ɋ& K!X!?_$ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f5fb19e0-92a6-4ec9-80bd-1cd33b9e7d56 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omm**`$!? ]Ɋ& c!X!?`$ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f5fb19e0-92a6-4ec9-80bd-1cd33b9e7d56 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-N**a$!? ]Ɋ& _!X!?a$ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f5fb19e0-92a6-4ec9-80bd-1cd33b9e7d56 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**b$!? ]Ɋ& W!X!?b$ F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f5fb19e0-92a6-4ec9-80bd-1cd33b9e7d56 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l**c$!? ]Ɋ& W!X!?c$ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f5fb19e0-92a6-4ec9-80bd-1cd33b9e7d56 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **d$!? ]Ɋ& Y!X!?d$ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f5fb19e0-92a6-4ec9-80bd-1cd33b9e7d56 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ho**Xe$!? ]Ɋ& !!?e$ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f5fb19e0-92a6-4ec9-80bd-1cd33b9e7d56 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=c9cd59fa-da73-4230-b8ce-7512b2ba98e5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eak X**`f$,? ]Ɋ& !,?f$ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f5fb19e0-92a6-4ec9-80bd-1cd33b9e7d56 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=c9cd59fa-da73-4230-b8ce-7512b2ba98e5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=*`** g$,? ]Ɋ& w !X,?g$ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=dec270fe-2cf7-4d98-9796-3efdf93d0313 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8h$,? ]Ɋ&  !X,?h$ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=dec270fe-2cf7-4d98-9796-3efdf93d0313 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=N8**8i$,? ]Ɋ&  !X,?i$ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=dec270fe-2cf7-4d98-9796-3efdf93d0313 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=neI8**0j$,? ]Ɋ&  !X,?j$ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=dec270fe-2cf7-4d98-9796-3efdf93d0313 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0k$,? ]Ɋ&  !X,?k$ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=dec270fe-2cf7-4d98-9796-3efdf93d0313 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s 0**0l$,? ]Ɋ&  !X,?l$ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=dec270fe-2cf7-4d98-9796-3efdf93d0313 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= t0**m$,? ]Ɋ&  !,?m$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=dec270fe-2cf7-4d98-9796-3efdf93d0313 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=0eb0f058-d882-4753-aa1b-fdcfdd45d80d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $mains[0] } e ]Ɋ&  -R?n$ F&-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ic ** N$e4? ]Ɋ& e !e4?N$ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4e0de4e7-1576-4517-a5d0-5ed5cb0124b1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=a9d03d38-04b5-4cfe-84df-4f075538e97a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnkn$$n$$P~g|(JMu=VysMc&&**n$R? ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! q!R?n$ F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=dec270fe-2cf7-4d98-9796-3efdf93d0313 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=0eb0f058-d882-4753-aa1b-fdcfdd45d80d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t** o$R? ]Ɋ&  !XR?o$ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6f795495-3eb6-4d17-b047-1b330ee70592 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a ** p$R? ]Ɋ&  !XR?p$ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6f795495-3eb6-4d17-b047-1b330ee70592 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** q$R? ]Ɋ&  !XR?q$ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6f795495-3eb6-4d17-b047-1b330ee70592 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=aye ** r$R? ]Ɋ&  !XR?r$ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6f795495-3eb6-4d17-b047-1b330ee70592 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ho ** s$R? ]Ɋ&  !XR?s$ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6f795495-3eb6-4d17-b047-1b330ee70592 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** t$R? ]Ɋ&  !XR?t$ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6f795495-3eb6-4d17-b047-1b330ee70592 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er ** u$R? ]Ɋ& e !R?u$ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6f795495-3eb6-4d17-b047-1b330ee70592 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=b0ac2124-a30d-40bf-90be-074beea4c124 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=am ** v$R? ]Ɋ& q !R?v$ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6f795495-3eb6-4d17-b047-1b330ee70592 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=b0ac2124-a30d-40bf-90be-074beea4c124 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Siz **w$Y? ]Ɋ& 7!XY?w$ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a8bc285d-5f65-400d-b321-fba9e2d4ca29 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.**x$Y? ]Ɋ& O!XY?x$ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a8bc285d-5f65-400d-b321-fba9e2d4ca29 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **y$Y? ]Ɋ& K!XY?y$ F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a8bc285d-5f65-400d-b321-fba9e2d4ca29 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t]@**z$Y? ]Ɋ& C!XY?z$ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a8bc285d-5f65-400d-b321-fba9e2d4ca29 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tom**{$Y? ]Ɋ& C!XY?{$ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a8bc285d-5f65-400d-b321-fba9e2d4ca29 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ **|$Y? ]Ɋ& E!XY?|$ F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a8bc285d-5f65-400d-b321-fba9e2d4ca29 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ea**@}$Y? ]Ɋ& !Y?}$ F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a8bc285d-5f65-400d-b321-fba9e2d4ca29 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=0cce9c47-9db2-445d-ad6f-7dca783eb861 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ty@**P~$Y? ]Ɋ& !Y?~$ F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a8bc285d-5f65-400d-b321-fba9e2d4ca29 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=0cce9c47-9db2-445d-ad6f-7dca783eb861 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on SP**$? ]Ɋ&  !?$ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=940b823f-42b8-4a5e-b2c6-49d7bebdbf2e HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=acd87d9f-96d1-48ba-8a00-cd1fddb03562 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=try **X$P@ ]Ɋ&  !XP@$ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4ca5dee8-3dc1-4ba7-81c6-f322fcfc3c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p$P@ ]Ɋ&  !XP@$ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4ca5dee8-3dc1-4ba7-81c6-f322fcfc3c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= #p**p$P@ ]Ɋ&  !XP@$ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4ca5dee8-3dc1-4ba7-81c6-f322fcfc3c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=(-nop**h$P@ ]Ɋ&  !XP@$ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4ca5dee8-3dc1-4ba7-81c6-f322fcfc3c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= (Geh**h$P@ ]Ɋ&  !XP@$ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4ca5dee8-3dc1-4ba7-81c6-f322fcfc3c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ce -h**h$P@ ]Ɋ&  !XP@$ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4ca5dee8-3dc1-4ba7-81c6-f322fcfc3c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=inuh**$P@ ]Ɋ&  !P@$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4ca5dee8-3dc1-4ba7-81c6-f322fcfc3c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=85487b49-e743-43c3-9137-f35580006362 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0] else { "" }  ]Ɋ&  P@$ F&"DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=a9d03d38-04b5-4cfe-84df-4f075538e97a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnk$$$$P1eMu=VysMc&&**$P@ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !P@$ F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4ca5dee8-3dc1-4ba7-81c6-f322fcfc3c45 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=85487b49-e743-43c3-9137-f35580006362 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X$~A@ ]Ɋ&  !X~A@$ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=92790355-19bd-423b-899a-c573ceef8320 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=amX**p$~A@ ]Ɋ&  !X~A@$ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=92790355-19bd-423b-899a-c573ceef8320 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Cop**p$~A@ ]Ɋ&  !X~A@$ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=92790355-19bd-423b-899a-c573ceef8320 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ss -p**h$~A@ ]Ɋ&  !X~A@$ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=92790355-19bd-423b-899a-c573ceef8320 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=elinh**h$~A@ ]Ɋ&  !X~A@$ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=92790355-19bd-423b-899a-c573ceef8320 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@() h**h$~A@ ]Ɋ&  !X~A@$ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=92790355-19bd-423b-899a-c573ceef8320 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=21-h**$~A@ ]Ɋ&  !~A@$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=92790355-19bd-423b-899a-c573ceef8320 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=f8c3cdab-4795-4055-b075-2a1550f3684b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ut **$~A@ ]Ɋ& !~A@$ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=92790355-19bd-423b-899a-c573ceef8320 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=f8c3cdab-4795-4055-b075-2a1550f3684b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** $ڈ@ ]Ɋ& w !Xڈ@$ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=68380e6d-da72-4bb7-bff5-6230b20194ba HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **8$ڈ@ ]Ɋ&  !Xڈ@$ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=68380e6d-da72-4bb7-bff5-6230b20194ba HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={8**8$ڈ@ ]Ɋ&  !Xڈ@$ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=68380e6d-da72-4bb7-bff5-6230b20194ba HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=kus8**0$ڈ@ ]Ɋ&  !Xڈ@$ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=68380e6d-da72-4bb7-bff5-6230b20194ba HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0$ڈ@ ]Ɋ&  !Xڈ@$ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=68380e6d-da72-4bb7-bff5-6230b20194ba HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=st 0**0$ڈ@ ]Ɋ&  !Xڈ@$ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=68380e6d-da72-4bb7-bff5-6230b20194ba HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e 0**$ڈ@ ]Ɋ&  !ڈ@$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=68380e6d-da72-4bb7-bff5-6230b20194ba HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=feed7b7d-3e97-46a9-bcdb-75108b86b11c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ba**$r@ ]Ɋ&  !r@$ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=68380e6d-da72-4bb7-bff5-6230b20194ba HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=feed7b7d-3e97-46a9-bcdb-75108b86b11c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t  }  ]Ɋ& n Xr@$ F&te-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=85487b49-e743-43c3-9137-f35580006362 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0] else { "" }  ]Ɋ&  P@$ F&"DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=a9d03d38-04b5-4cfe-84df-4f075538e97a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnk$$$$?ӧFMu=VysMc&&**$r@ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !Xr@$ F&F%g>9{p(xlMD EventDatauoData !Binary AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0ddbe554-83df-40f8-9261-f36762461eb6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **$r@ ]Ɋ&  !Xr@$ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0ddbe554-83df-40f8-9261-f36762461eb6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**$r@ ]Ɋ& !Xr@$ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0ddbe554-83df-40f8-9261-f36762461eb6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**$r@ ]Ɋ&  !Xr@$ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0ddbe554-83df-40f8-9261-f36762461eb6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FӨ**$r@ ]Ɋ&  !Xr@$ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0ddbe554-83df-40f8-9261-f36762461eb6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ov**$r@ ]Ɋ&  !Xr@$ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0ddbe554-83df-40f8-9261-f36762461eb6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**$r@ ]Ɋ& O!r@$ F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0ddbe554-83df-40f8-9261-f36762461eb6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=f3bb014f-9e7a-4e0f-8469-4d85a580150d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**$r@ ]Ɋ& [!r@$ F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0ddbe554-83df-40f8-9261-f36762461eb6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=f3bb014f-9e7a-4e0f-8469-4d85a580150d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=23b**8 $|c@ ]Ɋ&  !X|c@$ F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=db8f0f8f-4e48-44b2-ae6e-60ffc916c7ae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8 **P $|c@ ]Ɋ&  !X|c@$ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=db8f0f8f-4e48-44b2-ae6e-60ffc916c7ae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=meP **P $|c@ ]Ɋ&  !X|c@$ F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=db8f0f8f-4e48-44b2-ae6e-60ffc916c7ae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gnorP **H $|c@ ]Ɋ&  !X|c@$ F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=db8f0f8f-4e48-44b2-ae6e-60ffc916c7ae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tewaH **H $|c@ ]Ɋ&  !X|c@$ F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=db8f0f8f-4e48-44b2-ae6e-60ffc916c7ae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H **H $|c@ ]Ɋ&  !X|c@$ F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=db8f0f8f-4e48-44b2-ae6e-60ffc916c7ae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=| WH ** $|c@ ]Ɋ&  !|c@$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=db8f0f8f-4e48-44b2-ae6e-60ffc916c7ae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=e40f88b4-6340-40cb-b99e-1d70a2d99f0a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { ** $|c@ ]Ɋ&  !|c@$ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=db8f0f8f-4e48-44b2-ae6e-60ffc916c7ae HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=e40f88b4-6340-40cb-b99e-1d70a2d99f0a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r ** $|c@ ]Ɋ& w !X|c@$ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=14b7878a-a35b-4fec-9d5c-d5b2e7afdf8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t  { # ignor ]Ɋ&  iX|c@$ F&e -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=feed7b7d-3e97-46a9-bcdb-75108b86b11c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t  }  ]Ɋ& n Xr@$ F&te-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=85487b49-e743-43c3-9137-f35580006362 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0] else { "" }  ]Ɋ&  P@$ F&"DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=a9d03d38-04b5-4cfe-84df-4f075538e97a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnk$$$$p?Mu=VysMc&&**@$|c@ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X|c@$ F&F%g>9{p(xlMD EventDatauoData !Binaryl EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=14b7878a-a35b-4fec-9d5c-d5b2e7afdf8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== @**8$|c@ ]Ɋ&  !X|c@$ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=14b7878a-a35b-4fec-9d5c-d5b2e7afdf8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sio8**0$|c@ ]Ɋ&  !X|c@$ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=14b7878a-a35b-4fec-9d5c-d5b2e7afdf8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Out0**0$|c@ ]Ɋ&  !X|c@$ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=14b7878a-a35b-4fec-9d5c-d5b2e7afdf8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l -0**0$|c@ ]Ɋ&  !X|c@$ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=14b7878a-a35b-4fec-9d5c-d5b2e7afdf8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-E0**$|c@ ]Ɋ&  !|c@$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=14b7878a-a35b-4fec-9d5c-d5b2e7afdf8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a61528c2-d7c7-4e16-ad33-88cb038ce094 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Tr**$@ ]Ɋ&  !@$ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=14b7878a-a35b-4fec-9d5c-d5b2e7afdf8b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a61528c2-d7c7-4e16-ad33-88cb038ce094 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ame **$@ ]Ɋ& K!X@$ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e42294ce-49f7-49c2-a783-c89ada184306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ept**$@ ]Ɋ& c!X@$ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e42294ce-49f7-49c2-a783-c89ada184306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s) **$@ ]Ɋ& _!X@$ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e42294ce-49f7-49c2-a783-c89ada184306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**$@ ]Ɋ& W!X@$ F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e42294ce-49f7-49c2-a783-c89ada184306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-**$@ ]Ɋ& W!X@$ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e42294ce-49f7-49c2-a783-c89ada184306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u**$@ ]Ɋ& Y!X@$ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e42294ce-49f7-49c2-a783-c89ada184306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h ($**X$@ ]Ɋ& !@$ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e42294ce-49f7-49c2-a783-c89ada184306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=d395323a-9416-49f8-9f20-9d2357a20657 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= tX**`$@ ]Ɋ& !@$ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e42294ce-49f7-49c2-a783-c89ada184306 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=d395323a-9416-49f8-9f20-9d2357a20657 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=et`** $@ ]Ɋ& w !X@$ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d65c4810-a2ad-4572-b035-e211b55a8fa7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P **8$@ ]Ɋ&  !X@$ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d65c4810-a2ad-4572-b035-e211b55a8fa7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n8**8$@ ]Ɋ&  !X@$ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d65c4810-a2ad-4572-b035-e211b55a8fa7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rAc8**0$@ ]Ɋ&  !X@$ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d65c4810-a2ad-4572-b035-e211b55a8fa7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oc.0**0$@ ]Ɋ&  !X@$ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d65c4810-a2ad-4572-b035-e211b55a8fa7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Kil0**0$@ ]Ɋ&  !X@$ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d65c4810-a2ad-4572-b035-e211b55a8fa7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= (0**$@ ]Ɋ&  !@$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d65c4810-a2ad-4572-b035-e211b55a8fa7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b83f4f46-01a8-4603-b00f-3d3a41199380 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= RspaceId=a9d0 ]Ɋ&  @-@$ F& ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnk$$$$Fl|Mu=VysMc&&**$@-@ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! q!@-@$ F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=d65c4810-a2ad-4572-b035-e211b55a8fa7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b83f4f46-01a8-4603-b00f-3d3a41199380 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** $@-@ ]Ɋ&  !X@-@$ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=00fc4d1d-727e-4427-b54e-bfaf03f18a90 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=W ** $@-@ ]Ɋ&  !X@-@$ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=00fc4d1d-727e-4427-b54e-bfaf03f18a90 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** $@-@ ]Ɋ&  !X@-@$ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=00fc4d1d-727e-4427-b54e-bfaf03f18a90 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ovi ** $@-@ ]Ɋ&  !X@-@$ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=00fc4d1d-727e-4427-b54e-bfaf03f18a90 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Ob ** $@-@ ]Ɋ&  !X@-@$ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=00fc4d1d-727e-4427-b54e-bfaf03f18a90 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sel ** $@-@ ]Ɋ&  !X@-@$ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=00fc4d1d-727e-4427-b54e-bfaf03f18a90 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-9 ** $@-@ ]Ɋ& e !@-@$ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=00fc4d1d-727e-4427-b54e-bfaf03f18a90 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=5e3e8ef8-d727-4df6-a741-59f241ef419f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y  **X$@-@ ]Ɋ&  !X@-@$ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=213cfcbf-de13-4a38-a64a-56593455edfc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edX**p$@-@ ]Ɋ&  !X@-@$ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=213cfcbf-de13-4a38-a64a-56593455edfc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=anp**p$@-@ ]Ɋ&  !X@-@$ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=213cfcbf-de13-4a38-a64a-56593455edfc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Hosp**h$@-@ ]Ɋ&  !X@-@$ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=213cfcbf-de13-4a38-a64a-56593455edfc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1) {h**h$@-@ ]Ɋ&  !X@-@$ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=213cfcbf-de13-4a38-a64a-56593455edfc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on Sh**h$@-@ ]Ɋ&  !X@-@$ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=213cfcbf-de13-4a38-a64a-56593455edfc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ecth**$@-@ ]Ɋ&  !@-@$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=213cfcbf-de13-4a38-a64a-56593455edfc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=daf75d05-2d66-4cb7-9e62-a0aa7913889f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s -** $@-@ ]Ɋ& q !@-@$ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=00fc4d1d-727e-4427-b54e-bfaf03f18a90 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=5e3e8ef8-d727-4df6-a741-59f241ef419f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rorA **$@-@ ]Ɋ& !@-@$ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=213cfcbf-de13-4a38-a64a-56593455edfc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=daf75d05-2d66-4cb7-9e62-a0aa7913889f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**X$@-@ ]Ɋ&  !X@-@$ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f498a1f1-9847-46f0-8b54-2546a354e090 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SiX**p$@-@ ]Ɋ&  !X@-@$ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f498a1f1-9847-46f0-8b54-2546a354e090 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= =pet-NetRoute  ]Ɋ& utX@-@$ F&f ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b83f4f46-01a8-4603-b00f-3d3a41199380 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= RspaceId=a9d0 ]Ɋ&  @-@$ F& ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnk$$$$:(*5iMu=VysMc&&**p$@-@ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! Q!X@-@$ F&F%g>9{p(xlMD EventDatauoData !Binary FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f498a1f1-9847-46f0-8b54-2546a354e090 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Cp**h$@-@ ]Ɋ&  !X@-@$ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f498a1f1-9847-46f0-8b54-2546a354e090 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndexh**h$@-@ ]Ɋ&  !X@-@$ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f498a1f1-9847-46f0-8b54-2546a354e090 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mmanh**h$@-@ ]Ɋ&  !X@-@$ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f498a1f1-9847-46f0-8b54-2546a354e090 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ h**$@-@ ]Ɋ&  !@-@$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f498a1f1-9847-46f0-8b54-2546a354e090 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=0acaf4cb-ac8a-4054-b7e8-515c3dd687a1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Pip**$Ŕ@ ]Ɋ& 7!XŔ@$ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3aa73023-a7a5-4b5a-ac2a-63b54d6753a4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=)**$Ŕ@ ]Ɋ& O!XŔ@$ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3aa73023-a7a5-4b5a-ac2a-63b54d6753a4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**$Ŕ@ ]Ɋ& K!XŔ@$ F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3aa73023-a7a5-4b5a-ac2a-63b54d6753a4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -e**$Ŕ@ ]Ɋ& C!XŔ@$ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3aa73023-a7a5-4b5a-ac2a-63b54d6753a4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tpu**$Ŕ@ ]Ɋ& C!XŔ@$ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3aa73023-a7a5-4b5a-ac2a-63b54d6753a4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Li**$Ŕ@ ]Ɋ& E!XŔ@$ F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3aa73023-a7a5-4b5a-ac2a-63b54d6753a4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **$Ŕ@ ]Ɋ& !Ŕ@$ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f498a1f1-9847-46f0-8b54-2546a354e090 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=0acaf4cb-ac8a-4054-b7e8-515c3dd687a1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**@$Ŕ@ ]Ɋ& !Ŕ@$ F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3aa73023-a7a5-4b5a-ac2a-63b54d6753a4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=cae7308f-c6a9-4bc9-9291-bda85b4d4a4b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ec@**P$Ŕ@ ]Ɋ& !Ŕ@$ F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=3aa73023-a7a5-4b5a-ac2a-63b54d6753a4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=cae7308f-c6a9-4bc9-9291-bda85b4d4a4b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ect-P**H$JA ]Ɋ& !XJA$ F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=42797bf4-8523-42e6-9e14-a3efe8829033 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eH**`$JA ]Ɋ& !XJA$ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=42797bf4-8523-42e6-9e14-a3efe8829033 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$`**`$JA ]Ɋ& !XJA$ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=42797bf4-8523-42e6-9e14-a3efe8829033 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ig.`**X$JA ]Ɋ& !XJA$ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=42797bf4-8523-42e6-9e14-a3efe8829033 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**X$JA ]Ɋ& !XJA$ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=42797bf4-8523-42e6-9e14-a3efe8829033 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d=2X**X$JA ]Ɋ& !XJA$ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=42797bf4-8523-42e6-9e14-a3efe8829033 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.SX**$JA ]Ɋ& !JA$ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=42797bf4-8523-42e6-9e14-a3efe8829033 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=21ae3ffc-9223-483f-9f44-eba88d5fd231 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **$ >A ]Ɋ&  ! >A$ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=42797bf4-8523-42e6-9e14-a3efe8829033 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=21ae3ffc-9223-483f-9f44-eba88d5fd231 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sEng**$3EA ]Ɋ& K!X3EA$ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7b987a50-1c02-4bdc-a4d1-b6dfb4a3b6c5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 'V**$3EA ]Ɋ& c!X3EA$ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7b987a50-1c02-4bdc-a4d1-b6dfb4a3b6c5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ept**$3EA ]Ɋ& _!X3EA$ F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7b987a50-1c02-4bdc-a4d1-b6dfb4a3b6c5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**$3EA ]Ɋ& W!X3EA$ F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7b987a50-1c02-4bdc-a4d1-b6dfb4a3b6c5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**$3EA ]Ɋ& W!X3EA$ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7b987a50-1c02-4bdc-a4d1-b6dfb4a3b6c5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **$3EA ]Ɋ& Y!X3EA$ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7b987a50-1c02-4bdc-a4d1-b6dfb4a3b6c5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} **X$3EA ]Ɋ& !3EA$ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7b987a50-1c02-4bdc-a4d1-b6dfb4a3b6c5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=76aea9f3-29c7-440e-a65e-1d4dc4a68e85 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onmeX**`$qEA ]Ɋ& !qEA$ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7b987a50-1c02-4bdc-a4d1-b6dfb4a3b6c5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=76aea9f3-29c7-440e-a65e-1d4dc4a68e85 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t `** $qEA ]Ɋ& w !XqEA$ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9bd51791-66c2-4025-90b9-9009af5953c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **8$qEA ]Ɋ&  !XqEA$ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9bd51791-66c2-4025-90b9-9009af5953c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==8 CommandName ]Ɋ&  CXqEA$ F&d0 ]Ɋ&  @-@$ F& ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnk$%$%p(XY?EMu=VysMc&&**8$qEA ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XqEA$ F&F%g>9{p(xlMD EventDatauoData !Binaryh FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9bd51791-66c2-4025-90b9-9009af5953c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**0$qEA ]Ɋ&  !XqEA$ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9bd51791-66c2-4025-90b9-9009af5953c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndT0**0$qEA ]Ɋ&  !XqEA$ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9bd51791-66c2-4025-90b9-9009af5953c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=neI0**0$qEA ]Ɋ&  !XqEA$ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9bd51791-66c2-4025-90b9-9009af5953c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=si0**$qEA ]Ɋ&  !qEA$ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9bd51791-66c2-4025-90b9-9009af5953c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a19a0bba-4fb6-4ffc-aed9-488614b7f6f0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ru**$eFA ]Ɋ&  !eFA$ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=9bd51791-66c2-4025-90b9-9009af5953c9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a19a0bba-4fb6-4ffc-aed9-488614b7f6f0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onso** $eFA ]Ɋ&  !XeFA$ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4289f1cd-74bb-4802-a065-8df785bb1af8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o ** $eFA ]Ɋ&  !XeFA$ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4289f1cd-74bb-4802-a065-8df785bb1af8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=. ** $eFA ]Ɋ&  !XeFA$ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4289f1cd-74bb-4802-a065-8df785bb1af8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sig ** $eFA ]Ɋ&  !XeFA$ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4289f1cd-74bb-4802-a065-8df785bb1af8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3b5 ** $eFA ]Ɋ&  !XeFA$ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4289f1cd-74bb-4802-a065-8df785bb1af8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P ** $eFA ]Ɋ&  !XeFA$ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4289f1cd-74bb-4802-a065-8df785bb1af8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** $eFA ]Ɋ& e !eFA$ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4289f1cd-74bb-4802-a065-8df785bb1af8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c50399ab-373f-4164-804f-80a1e9d113e0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er ** $eFA ]Ɋ& q !eFA$ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4289f1cd-74bb-4802-a065-8df785bb1af8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c50399ab-373f-4164-804f-80a1e9d113e0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=les\ **%FA ]Ɋ& 7!XFA% F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=306cc221-0bd7-4fc7-93ec-5a57067313b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**%FA ]Ɋ& O!XFA% F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=306cc221-0bd7-4fc7-93ec-5a57067313b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**%FA ]Ɋ& K!XFA% F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=306cc221-0bd7-4fc7-93ec-5a57067313b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and**%FA ]Ɋ& C!XFA% F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=306cc221-0bd7-4fc7-93ec-5a57067313b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndN**%FA ]Ɋ& C!XFA% F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=306cc221-0bd7-4fc7-93ec-5a57067313b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **%FA ]Ɋ& E!XFA% F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=306cc221-0bd7-4fc7-93ec-5a57067313b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=li**@%FA ]Ɋ& !FA% F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=306cc221-0bd7-4fc7-93ec-5a57067313b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=3f1dfd7d-7a8f-42f7-b152-fbe37ba86795 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dT@**P%FA ]Ɋ& !FA% F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=306cc221-0bd7-4fc7-93ec-5a57067313b5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=3f1dfd7d-7a8f-42f7-b152-fbe37ba86795 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=CommP**H%A ]Ɋ& !XA% F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d2cf8e32-030a-4892-bc02-f32ae616fe22 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=hH**` %A ]Ɋ& !XA % F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d2cf8e32-030a-4892-bc02-f32ae616fe22 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==`**` %A ]Ɋ& !XA % F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d2cf8e32-030a-4892-bc02-f32ae616fe22 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ror`**X %A ]Ɋ& !XA % F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d2cf8e32-030a-4892-bc02-f32ae616fe22 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ultX**X %A ]Ɋ& !XA % F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d2cf8e32-030a-4892-bc02-f32ae616fe22 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**X %A ]Ɋ& !XA % F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d2cf8e32-030a-4892-bc02-f32ae616fe22 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onX**%A ]Ɋ& !A% F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d2cf8e32-030a-4892-bc02-f32ae616fe22 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=acb08c1d-e995-40f9-82df-9fc3d6aa8788 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $**%uA ]Ɋ&  !uA% F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d2cf8e32-030a-4892-bc02-f32ae616fe22 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=acb08c1d-e995-40f9-82df-9fc3d6aa8788 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  ]Ɋ& 0X8A% F& @-@$ F& ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnk%(%%(%!DMu=VysMc&&** %8A ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X8A% F&F%g>9{p(xlMD EventDatauoData !Binary(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6f2a4538-5221-46b6-a243-23c7b7907f18 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **%8A ]Ɋ& c!X8A% F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6f2a4538-5221-46b6-a243-23c7b7907f18 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fa**%8A ]Ɋ& _!X8A% F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6f2a4538-5221-46b6-a243-23c7b7907f18 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**%8A ]Ɋ& W!X8A% F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6f2a4538-5221-46b6-a243-23c7b7907f18 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**%8A ]Ɋ& W!X8A% F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6f2a4538-5221-46b6-a243-23c7b7907f18 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **%8A ]Ɋ& Y!X8A% F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6f2a4538-5221-46b6-a243-23c7b7907f18 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dres**X%8A ]Ɋ& !8A% F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6f2a4538-5221-46b6-a243-23c7b7907f18 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=d743ce2e-04ea-46d6-a660-a08a9e0378d2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h= X**`%ϜA ]Ɋ& !ϜA% F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6f2a4538-5221-46b6-a243-23c7b7907f18 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=d743ce2e-04ea-46d6-a660-a08a9e0378d2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Er`** %ϜA ]Ɋ& w !XϜA% F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=766fec53-ea43-4822-9959-77333277eb0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **8%ϜA ]Ɋ&  !XϜA% F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=766fec53-ea43-4822-9959-77333277eb0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=N8**8%ϜA ]Ɋ&  !XϜA% F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=766fec53-ea43-4822-9959-77333277eb0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**0%ϜA ]Ɋ&  !XϜA% F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=766fec53-ea43-4822-9959-77333277eb0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0%ϜA ]Ɋ&  !XϜA% F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=766fec53-ea43-4822-9959-77333277eb0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nte0**0%ϜA ]Ɋ&  !XϜA% F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=766fec53-ea43-4822-9959-77333277eb0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ne0**%ϜA ]Ɋ&  !ϜA% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=766fec53-ea43-4822-9959-77333277eb0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=25a8a5a0-79ea-424b-b123-2728d219e015 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {**%e5A ]Ɋ&  !e5A% F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=766fec53-ea43-4822-9959-77333277eb0d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=25a8a5a0-79ea-424b-b123-2728d219e015 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rver** %e5A ]Ɋ&  !Xe5A % F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0f8f7cea-8cb3-47ac-a8c8-f4698a225375 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i ** !%e5A ]Ɋ&  !Xe5A!% F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0f8f7cea-8cb3-47ac-a8c8-f4698a225375 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** "%e5A ]Ɋ&  !Xe5A"% F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0f8f7cea-8cb3-47ac-a8c8-f4698a225375 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nkL ** #%e5A ]Ɋ&  !Xe5A#% F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0f8f7cea-8cb3-47ac-a8c8-f4698a225375 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hos ** $%e5A ]Ɋ&  !Xe5A$% F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0f8f7cea-8cb3-47ac-a8c8-f4698a225375 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d7d ** %%e5A ]Ɋ&  !Xe5A%% F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0f8f7cea-8cb3-47ac-a8c8-f4698a225375 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** &%e5A ]Ɋ& e !e5A&% F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0f8f7cea-8cb3-47ac-a8c8-f4698a225375 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=f26c4939-9c89-4a74-a28e-69702fb271c7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  ** '%e5A ]Ɋ& q !e5A'% F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0f8f7cea-8cb3-47ac-a8c8-f4698a225375 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=f26c4939-9c89-4a74-a28e-69702fb271c7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Styl **(%A ]Ɋ& 7!XA(% F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=03335361-d30e-4367-84b8-0a1aee738b40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mndName= Co ]Ɋ& ndXA)% F&]Ɋ& 0X8A% F& @-@$ F& ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnk)%B%)%B%xDW&Mu=VysMc&&** )%A ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XA)% F&F%g>9{p(xlMD EventDatauoData !Binary,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=03335361-d30e-4367-84b8-0a1aee738b40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** ***%A ]Ɋ& K!XA*% F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=03335361-d30e-4367-84b8-0a1aee738b40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ine**+%A ]Ɋ& C!XA+% F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=03335361-d30e-4367-84b8-0a1aee738b40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th=**,%A ]Ɋ& C!XA,% F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=03335361-d30e-4367-84b8-0a1aee738b40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omm**-%A ]Ɋ& E!XA-% F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=03335361-d30e-4367-84b8-0a1aee738b40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me**@.%A ]Ɋ& !A.% F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=03335361-d30e-4367-84b8-0a1aee738b40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=57580729-c757-4f5a-9924-0eb19146e4b2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=@**P/%A ]Ɋ& !A/% F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=03335361-d30e-4367-84b8-0a1aee738b40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=57580729-c757-4f5a-9924-0eb19146e4b2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=andLP**H0%B ]Ɋ& !XB0% F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=035cf93f-06c5-489f-a279-c31c827b0ea3 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eH**`1%B ]Ɋ& !XB1% F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=035cf93f-06c5-489f-a279-c31c827b0ea3 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i`**`2%B ]Ɋ& !XB2% F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=035cf93f-06c5-489f-a279-c31c827b0ea3 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t 1`**X3%B ]Ɋ& !XB3% F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=035cf93f-06c5-489f-a279-c31c827b0ea3 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t -X**X4%B ]Ɋ& !XB4% F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=035cf93f-06c5-489f-a279-c31c827b0ea3 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nt X**X5%B ]Ɋ& !XB5% F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=035cf93f-06c5-489f-a279-c31c827b0ea3 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $X**6%B ]Ɋ& !B6% F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=035cf93f-06c5-489f-a279-c31c827b0ea3 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=9aaaee11-e8d5-481b-b400-18540a820db5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ad**7%l_B ]Ɋ&  !l_B7% F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=035cf93f-06c5-489f-a279-c31c827b0ea3 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=9aaaee11-e8d5-481b-b400-18540a820db5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=%**X8%]ZB ]Ɋ&  !X]ZB8% F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1acc7167-33de-4164-b5c4-70183e88b2f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**p9%]ZB ]Ɋ&  !X]ZB9% F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1acc7167-33de-4164-b5c4-70183e88b2f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mep**p:%]ZB ]Ɋ&  !X]ZB:% F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1acc7167-33de-4164-b5c4-70183e88b2f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==Stap**h;%]ZB ]Ɋ&  !X]ZB;% F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1acc7167-33de-4164-b5c4-70183e88b2f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==13 h**h<%]ZB ]Ɋ&  !X]ZB<% F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1acc7167-33de-4164-b5c4-70183e88b2f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**h=%]ZB ]Ɋ&  !X]ZB=% F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1acc7167-33de-4164-b5c4-70183e88b2f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=arth**>%]ZB ]Ɋ&  !]ZB>% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1acc7167-33de-4164-b5c4-70183e88b2f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6b498f11-e71a-4a62-ba2f-f6e013099786 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$co**?%]ZB ]Ɋ& !]ZB?% F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1acc7167-33de-4164-b5c4-70183e88b2f7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6b498f11-e71a-4a62-ba2f-f6e013099786 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==**X@%.KB ]Ɋ&  !X.KB@% F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e1e012be-0003-4c42-b6dd-086b0602d914 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-CX**pA%.KB ]Ɋ&  !X.KBA% F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e1e012be-0003-4c42-b6dd-086b0602d914 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eSp**pB%.KB ]Ɋ&  !X.KBB% F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e1e012be-0003-4c42-b6dd-086b0602d914 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nsSepers += $dnsC ]Ɋ& omX.KBC% F&et-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=f26c4939-9c89-4a74-a28e-69702fb271c7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Styl **(%A ]Ɋ& 7!XA(% F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=03335361-d30e-4367-84b8-0a1aee738b40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mndName= Co ]Ɋ& ndXA)% F&]Ɋ& 0X8A% F& @-@$ F& ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnkC%S%C%S%heƚMu=VysMc&&**hC%.KB ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! I!X.KBC% F&F%g>9{p(xlMD EventDatauoData !Binary FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e1e012be-0003-4c42-b6dd-086b0602d914 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ph**hD%.KB ]Ɋ&  !X.KBD% F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e1e012be-0003-4c42-b6dd-086b0602d914 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} h**hE%.KB ]Ɋ&  !X.KBE% F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e1e012be-0003-4c42-b6dd-086b0602d914 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edh**F%.KB ]Ɋ&  !.KBF% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e1e012be-0003-4c42-b6dd-086b0602d914 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6dd163e9-f152-48db-9442-c22266c11a95 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NoP**G%B ]Ɋ& !BG% F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e1e012be-0003-4c42-b6dd-086b0602d914 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6dd163e9-f152-48db-9442-c22266c11a95 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** H%B ]Ɋ& w !XBH% F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1bf32305-d6a3-4b83-8961-8bcf7850738b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8I%B ]Ɋ&  !XBI% F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1bf32305-d6a3-4b83-8961-8bcf7850738b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=38**8J%B ]Ɋ&  !XBJ% F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1bf32305-d6a3-4b83-8961-8bcf7850738b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { 8**0K%B ]Ɋ&  !XBK% F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1bf32305-d6a3-4b83-8961-8bcf7850738b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rt.0**0L%B ]Ɋ&  !XBL% F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1bf32305-d6a3-4b83-8961-8bcf7850738b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=29.0**0M%B ]Ɋ&  !XBM% F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1bf32305-d6a3-4b83-8961-8bcf7850738b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y 0**N%B ]Ɋ&  !BN% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1bf32305-d6a3-4b83-8961-8bcf7850738b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=7dd6b037-923e-4357-93ad-c208ec831122 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=en**O%[|B ]Ɋ&  ![|BO% F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=1bf32305-d6a3-4b83-8961-8bcf7850738b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=7dd6b037-923e-4357-93ad-c208ec831122 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=EKUs**P%[|B ]Ɋ&  !X[|BP% F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5e8774dc-e739-4fe3-a2d9-363886f6d0d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t EK**Q%[|B ]Ɋ&  !X[|BQ% F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5e8774dc-e739-4fe3-a2d9-363886f6d0d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= OID**R%[|B ]Ɋ& !X[|BR% F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5e8774dc-e739-4fe3-a2d9-363886f6d0d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$c**S%[|B ]Ɋ&  !X[|BS% F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5e8774dc-e739-4fe3-a2d9-363886f6d0d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s,inkLayerAddr ]Ɋ& esX[|BT% F&o arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mndName= Co ]Ɋ& ndXA)% F&]Ɋ& 0X8A% F& @-@$ F& ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnkT%i%T%i%P7zMu=VysMc&&**T%[|B ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X[|BT% F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5e8774dc-e739-4fe3-a2d9-363886f6d0d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**U%[|B ]Ɋ&  !X[|BU% F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5e8774dc-e739-4fe3-a2d9-363886f6d0d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**V%[|B ]Ɋ& O![|BV% F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5e8774dc-e739-4fe3-a2d9-363886f6d0d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=ac120991-f769-48c9-a6d6-7ab81f364323 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **W%B ]Ɋ& [!BW% F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5e8774dc-e739-4fe3-a2d9-363886f6d0d3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=ac120991-f769-48c9-a6d6-7ab81f364323 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=equ**X%ԪB ]Ɋ& K!XԪBX% F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=37cf95fe-921e-4d4a-95d5-c2d5edd91627 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ner**Y%ԪB ]Ɋ& c!XԪBY% F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=37cf95fe-921e-4d4a-95d5-c2d5edd91627 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xit**Z%ԪB ]Ɋ& _!XԪBZ% F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=37cf95fe-921e-4d4a-95d5-c2d5edd91627 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**[%ԪB ]Ɋ& W!XԪB[% F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=37cf95fe-921e-4d4a-95d5-c2d5edd91627 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**\%ԪB ]Ɋ& W!XԪB\% F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=37cf95fe-921e-4d4a-95d5-c2d5edd91627 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**]%ԪB ]Ɋ& Y!XԪB]% F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=37cf95fe-921e-4d4a-95d5-c2d5edd91627 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }**X^%ԪB ]Ɋ& !ԪB^% F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=37cf95fe-921e-4d4a-95d5-c2d5edd91627 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=421e837f-5d1e-4d9f-a419-b384fb87e681 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h X**`_%-mB ]Ɋ& !-mB_% F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=37cf95fe-921e-4d4a-95d5-c2d5edd91627 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=421e837f-5d1e-4d9f-a419-b384fb87e681 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er`** `%-mB ]Ɋ& w !X-mB`% F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=aac32fbd-9633-4520-ae19-b9e34c960fdc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8a%-mB ]Ɋ&  !X-mBa% F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=aac32fbd-9633-4520-ae19-b9e34c960fdc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a8**8b%-mB ]Ɋ&  !X-mBb% F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=aac32fbd-9633-4520-ae19-b9e34c960fdc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pte8**0c%-mB ]Ɋ&  !X-mBc% F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=aac32fbd-9633-4520-ae19-b9e34c960fdc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=apt0**0d%-mB ]Ɋ&  !X-mBd% F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=aac32fbd-9633-4520-ae19-b9e34c960fdc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if 0**0e%-mB ]Ɋ&  !X-mBe% F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=aac32fbd-9633-4520-ae19-b9e34c960fdc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= w0**f%-mB ]Ɋ&  !-mBf% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=aac32fbd-9633-4520-ae19-b9e34c960fdc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b8efc840-79ea-48af-b6b8-7b0918c89225 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= W**8 g%-mB ]Ɋ&  !X-mBg% F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9f83e290-9456-4060-81f3-779a3e3c4868 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=re8 **P h%-mB ]Ɋ&  !X-mBh% F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9f83e290-9456-4060-81f3-779a3e3c4868 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NeP **P i%-mB ]Ɋ&  !X-mBi% F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9f83e290-9456-4060-81f3-779a3e3c4868 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NameP Co ]Ɋ& ]Ɋ& X-mBj% F& 0X8A% F& @-@$ F& ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnkj%%j%%0 ^Mu=VysMc&&**Hj%-mB ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! ) !X-mBj% F&F%g>9{p(xlMD EventDatauoData !Binaryv FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9f83e290-9456-4060-81f3-779a3e3c4868 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-H**H k%-mB ]Ɋ&  !X-mBk% F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9f83e290-9456-4060-81f3-779a3e3c4868 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= SH **H l%-mB ]Ɋ&  !X-mBl% F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9f83e290-9456-4060-81f3-779a3e3c4868 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uleH ** m%-mB ]Ɋ&  !-mBm% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9f83e290-9456-4060-81f3-779a3e3c4868 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=84a64bf1-d649-4290-810b-e7152173e350 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gge ** n%B ]Ɋ&  !Bn% F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9f83e290-9456-4060-81f3-779a3e3c4868 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=84a64bf1-d649-4290-810b-e7152173e350 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=V ** o%B ]Ɋ& w !XBo% F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=46a3d999-7cd4-4029-9d1e-bbd8d1bbbfa1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=j **8p%B ]Ɋ&  !XBp% F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=46a3d999-7cd4-4029-9d1e-bbd8d1bbbfa1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**8q%B ]Ɋ&  !XBq% F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=46a3d999-7cd4-4029-9d1e-bbd8d1bbbfa1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ost8**0r%B ]Ɋ&  !XBr% F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=46a3d999-7cd4-4029-9d1e-bbd8d1bbbfa1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0s%B ]Ɋ&  !XBs% F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=46a3d999-7cd4-4029-9d1e-bbd8d1bbbfa1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0t%B ]Ɋ&  !XBt% F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=46a3d999-7cd4-4029-9d1e-bbd8d1bbbfa1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**u%B ]Ɋ&  !Bu% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=46a3d999-7cd4-4029-9d1e-bbd8d1bbbfa1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=223a0082-6f9a-4eb9-8220-59132b98087a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.0**v%ZB ]Ɋ&  !ZBv% F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=46a3d999-7cd4-4029-9d1e-bbd8d1bbbfa1 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=223a0082-6f9a-4eb9-8220-59132b98087a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fdc **w%ZB ]Ɋ& K!XZBw% F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=dd19f573-faea-4bdf-a5e3-1bcbf6016ad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **x%ZB ]Ɋ& c!XZBx% F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=dd19f573-faea-4bdf-a5e3-1bcbf6016ad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= w**y%ZB ]Ɋ& _!XZBy% F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=dd19f573-faea-4bdf-a5e3-1bcbf6016ad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **z%ZB ]Ɋ& W!XZBz% F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=dd19f573-faea-4bdf-a5e3-1bcbf6016ad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P**{%ZB ]Ɋ& W!XZB{% F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=dd19f573-faea-4bdf-a5e3-1bcbf6016ad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **|%ZB ]Ɋ& Y!XZB|% F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=dd19f573-faea-4bdf-a5e3-1bcbf6016ad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f ($**X}%ZB ]Ɋ& !ZB}% F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=dd19f573-faea-4bdf-a5e3-1bcbf6016ad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=0ae069b1-594d-4cc5-b4c2-521846700a96 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -ExX**`~%ZB ]Ɋ& !ZB~% F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=dd19f573-faea-4bdf-a5e3-1bcbf6016ad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=0ae069b1-594d-4cc5-b4c2-521846700a96 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd`** %ZB ]Ɋ& w !XZB% F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d9ca2aa8-657a-4776-94df-1af1f1c92709 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c reationDate  ]Ɋ& e)XZB% F&-match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NameP Co ]Ɋ& ]Ɋ& X-mBj% F& 0X8A% F& @-@$ F& ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnk%%%%H[[Mu=VysMc&&**@%ZB ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XZB% F&F%g>9{p(xlMD EventDatauoData !Binaryl EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d9ca2aa8-657a-4776-94df-1af1f1c92709 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er@**8%ZB ]Ɋ&  !XZB% F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d9ca2aa8-657a-4776-94df-1af1f1c92709 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=83e8**0%ZB ]Ɋ&  !XZB% F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d9ca2aa8-657a-4776-94df-1af1f1c92709 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ass0**0%ZB ]Ɋ&  !XZB% F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d9ca2aa8-657a-4776-94df-1af1f1c92709 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Add0**0%ZB ]Ɋ&  !XZB% F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d9ca2aa8-657a-4776-94df-1af1f1c92709 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-D0**%ZB ]Ɋ&  !ZB% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d9ca2aa8-657a-4776-94df-1af1f1c92709 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=75fa5543-3966-43c7-a37d-7cf708141153 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-**%6B ]Ɋ&  !6B% F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=d9ca2aa8-657a-4776-94df-1af1f1c92709 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=75fa5543-3966-43c7-a37d-7cf708141153 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($ro** %6B ]Ɋ&  !X6B% F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fd22e557-ac8b-49bc-9b2f-a5e0f412b466 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** %6B ]Ɋ&  !X6B% F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fd22e557-ac8b-49bc-9b2f-a5e0f412b466 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a ** %6B ]Ɋ&  !X6B% F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fd22e557-ac8b-49bc-9b2f-a5e0f412b466 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** %6B ]Ɋ&  !X6B% F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fd22e557-ac8b-49bc-9b2f-a5e0f412b466 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** %6B ]Ɋ&  !X6B% F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fd22e557-ac8b-49bc-9b2f-a5e0f412b466 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= | ** %6B ]Ɋ&  !X6B% F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fd22e557-ac8b-49bc-9b2f-a5e0f412b466 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti ** %6B ]Ɋ& e !6B% F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fd22e557-ac8b-49bc-9b2f-a5e0f412b466 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=88250ed0-c2f4-4835-89f8-9cee3c0e347d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d9 **X%ϭB ]Ɋ&  !XϭB% F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9865a601-2369-4665-98a2-a1e01d2cc6a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p%ϭB ]Ɋ&  !XϭB% F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9865a601-2369-4665-98a2-a1e01d2cc6a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cep**p%ϭB ]Ɋ&  !XϭB% F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9865a601-2369-4665-98a2-a1e01d2cc6a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Zp**h%ϭB ]Ɋ&  !XϭB% F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9865a601-2369-4665-98a2-a1e01d2cc6a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NonIh**h%ϭB ]Ɋ&  !XϭB% F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9865a601-2369-4665-98a2-a1e01d2cc6a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y -ah $_.MACAddre ]Ɋ&  XϭB% F&in32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c reationDate  ]Ɋ& e)XZB% F&-match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NameP Co ]Ɋ& ]Ɋ& X-mBj% F& 0X8A% F& @-@$ F& ScriptName= CommandPath= CommandLine=Co andPath= CommandLine== Xo=F<ElfChnk%%%%(r'WMu=VysMc&&**h%ϭB ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! K!XϭB% F&F%g>9{p(xlMD EventDatauoData !Binary VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9865a601-2369-4665-98a2-a1e01d2cc6a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h** %ϭB ]Ɋ& q !ϭB% F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=fd22e557-ac8b-49bc-9b2f-a5e0f412b466 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=88250ed0-c2f4-4835-89f8-9cee3c0e347d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= | W **%ϭB ]Ɋ&  !ϭB% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9865a601-2369-4665-98a2-a1e01d2cc6a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6790ac18-c14a-4c6f-91fb-6eb5f886526b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dre**%ϭB ]Ɋ& !ϭB% F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9865a601-2369-4665-98a2-a1e01d2cc6a3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6790ac18-c14a-4c6f-91fb-6eb5f886526b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C**X%ϭB ]Ɋ&  !XϭB% F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2cb8dd78-ade2-4ca3-a094-f44f73f7acc6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=kAX**p%ϭB ]Ɋ&  !XϭB% F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2cb8dd78-ade2-4ca3-a094-f44f73f7acc6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bjp**p%ϭB ]Ɋ&  !XϭB% F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2cb8dd78-ade2-4ca3-a094-f44f73f7acc6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ratip**h%ϭB ]Ɋ&  !XϭB% F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2cb8dd78-ade2-4ca3-a094-f44f73f7acc6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.0 h**h%ϭB ]Ɋ&  !XϭB% F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2cb8dd78-ade2-4ca3-a094-f44f73f7acc6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $doh**h%ϭB ]Ɋ&  !XϭB% F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2cb8dd78-ade2-4ca3-a094-f44f73f7acc6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Seqh**%ϭB ]Ɋ&  !ϭB% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2cb8dd78-ade2-4ca3-a094-f44f73f7acc6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=10563e42-8a88-490b-890a-102c7daa708a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Cs**%ϭB ]Ɋ& 7!XϭB% F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=04f7f49c-02d6-463b-a2aa-739c763547c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=N**%ϭB ]Ɋ& O!XϭB% F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=04f7f49c-02d6-463b-a2aa-739c763547c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u**%ϭB ]Ɋ& K!XϭB% F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=04f7f49c-02d6-463b-a2aa-739c763547c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-A**%ϭB ]Ɋ& C!XϭB% F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=04f7f49c-02d6-463b-a2aa-739c763547c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Usa**%ϭB ]Ɋ& C!XϭB% F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=04f7f49c-02d6-463b-a2aa-739c763547c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 **%ϭB ]Ɋ& E!XϭB% F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=04f7f49c-02d6-463b-a2aa-739c763547c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **@%ϭB ]Ɋ& !ϭB% F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=04f7f49c-02d6-463b-a2aa-739c763547c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=13362361-a11f-4545-a03e-7b7f04e1ec4e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=yp@**%ϭB ]Ɋ& !ϭB% F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2cb8dd78-ade2-4ca3-a094-f44f73f7acc6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=10563e42-8a88-490b-890a-102c7daa708a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=L**P%hB ]Ɋ& !hB% F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=04f7f49c-02d6-463b-a2aa-739c763547c6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=13362361-a11f-4545-a03e-7b7f04e1ec4e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e.SuP**H%d4C ]Ɋ& !Xd4C% F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fb5074aa-a4ff-42b7-99f1-120c80a9badd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`%d4C ]Ɋ& !Xd4C% F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fb5074aa-a4ff-42b7-99f1-120c80a9badd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=`**`%d4C ]Ɋ& !Xd4C% F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fb5074aa-a4ff-42b7-99f1-120c80a9badd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=TAT`**X%d4C ]Ɋ& !Xd4C% F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fb5074aa-a4ff-42b7-99f1-120c80a9badd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ekuX**X%d4C ]Ɋ& !Xd4C% F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fb5074aa-a4ff-42b7-99f1-120c80a9badd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sioX**X%d4C ]Ɋ& !Xd4C% F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fb5074aa-a4ff-42b7-99f1-120c80a9badd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==X**%d4C ]Ɋ& !d4C% F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fb5074aa-a4ff-42b7-99f1-120c80a9badd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=1dd94f4f-cce9-4a8c-9d92-75301b4900b5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=F& ]Ɋ& ptEz:C% F&dLine=Co andPath= CommandLine== Xo=F<ElfChnk%%%%HhJ0.IMu=VysMc&&**%Ez:C ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !Ez:C% F&F%g>9{p(xlMD EventDatauoData !BinaryStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=fb5074aa-a4ff-42b7-99f1-120c80a9badd HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=1dd94f4f-cce9-4a8c-9d92-75301b4900b5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **%!^C ]Ɋ& K!X!^C% F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=cfdf7b5c-43fb-490e-8c73-d27dfae2bb39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ty**%!^C ]Ɋ& c!X!^C% F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=cfdf7b5c-43fb-490e-8c73-d27dfae2bb39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ion**%!^C ]Ɋ& _!X!^C% F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=cfdf7b5c-43fb-490e-8c73-d27dfae2bb39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **%!^C ]Ɋ& W!X!^C% F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=cfdf7b5c-43fb-490e-8c73-d27dfae2bb39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **%!^C ]Ɋ& W!X!^C% F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=cfdf7b5c-43fb-490e-8c73-d27dfae2bb39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c**%!^C ]Ɋ& Y!X!^C% F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=cfdf7b5c-43fb-490e-8c73-d27dfae2bb39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ho**X%!^C ]Ɋ& !!^C% F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=cfdf7b5c-43fb-490e-8c73-d27dfae2bb39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=6e5e66fd-95d8-4314-a53d-528de654f3b2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Get X**`%!^C ]Ɋ& !!^C% F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=cfdf7b5c-43fb-490e-8c73-d27dfae2bb39 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=6e5e66fd-95d8-4314-a53d-528de654f3b2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C`** %!^C ]Ɋ& w !X!^C% F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=892aaa9e-ce9d-43ab-b547-085c3838ee2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p **8%!^C ]Ɋ&  !X!^C% F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=892aaa9e-ce9d-43ab-b547-085c3838ee2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**8%!^C ]Ɋ&  !X!^C% F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=892aaa9e-ce9d-43ab-b547-085c3838ee2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sag8**0%!^C ]Ɋ&  !X!^C% F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=892aaa9e-ce9d-43ab-b547-085c3838ee2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ut 0**0%!^C ]Ɋ&  !X!^C% F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=892aaa9e-ce9d-43ab-b547-085c3838ee2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }0**0%!^C ]Ɋ&  !X!^C% F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=892aaa9e-ce9d-43ab-b547-085c3838ee2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine="E0**%!^C ]Ɋ&  !!^C% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=892aaa9e-ce9d-43ab-b547-085c3838ee2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b32a3a10-cdea-4d5d-9c63-6820c140f203 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=us**%n_C ]Ɋ&  !n_C% F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=892aaa9e-ce9d-43ab-b547-085c3838ee2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=b32a3a10-cdea-4d5d-9c63-6820c140f203 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=&** %n_C ]Ɋ&  !Xn_C% F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9c0467d1-0045-4bc0-8ec3-935d41ff9323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** %n_C ]Ɋ&  !Xn_C% F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9c0467d1-0045-4bc0-8ec3-935d41ff9323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s ** %n_C ]Ɋ&  !Xn_C% F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9c0467d1-0045-4bc0-8ec3-935d41ff9323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Lin ** %n_C ]Ɋ&  !Xn_C% F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9c0467d1-0045-4bc0-8ec3-935d41ff9323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** %n_C ]Ɋ&  !Xn_C% F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9c0467d1-0045-4bc0-8ec3-935d41ff9323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ack ** %n_C ]Ɋ&  !Xn_C% F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9c0467d1-0045-4bc0-8ec3-935d41ff9323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dN ** %n_C ]Ɋ& e !n_C% F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9c0467d1-0045-4bc0-8ec3-935d41ff9323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=323b4ae8-3efc-470f-bcbb-47f42270fcb5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=st ** %N`C ]Ɋ& q !N`C% F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9c0467d1-0045-4bc0-8ec3-935d41ff9323 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=323b4ae8-3efc-470f-bcbb-47f42270fcb5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ppli tion=powersh ]Ɋ& liXN`C% F& -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=1dd94f4f-cce9-4a8c-9d92-75301b4900b5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=F& ]Ɋ& ptEz:C% F&dLine=Co andPath= CommandLine== Xo=F<ElfChnk%%%%'39Mu=VysMc&&** %N`C ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XN`C% F&F%g>9{p(xlMD EventDatauoData !BinaryAliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=851f9d04-bf3d-48ea-85a2-97bcb034a97e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==S **%N`C ]Ɋ& O!XN`C% F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=851f9d04-bf3d-48ea-85a2-97bcb034a97e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**%N`C ]Ɋ& K!XN`C% F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=851f9d04-bf3d-48ea-85a2-97bcb034a97e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ste**%N`C ]Ɋ& C!XN`C% F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=851f9d04-bf3d-48ea-85a2-97bcb034a97e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ame**%N`C ]Ɋ& C!XN`C% F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=851f9d04-bf3d-48ea-85a2-97bcb034a97e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rov**%N`C ]Ɋ& E!XN`C% F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=851f9d04-bf3d-48ea-85a2-97bcb034a97e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rt**@%N`C ]Ɋ& !N`C% F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=851f9d04-bf3d-48ea-85a2-97bcb034a97e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=28ae420a-9a30-4f4e-802f-5c9d568ab593 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @**P%N`C ]Ɋ& !N`C% F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=851f9d04-bf3d-48ea-85a2-97bcb034a97e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=28ae420a-9a30-4f4e-802f-5c9d568ab593 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=StopP**H%TC ]Ɋ& !XTC% F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=bc692da2-238b-49f1-8c1b-56e9f0fad45b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=IH**`%TC ]Ɋ& !XTC% F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=bc692da2-238b-49f1-8c1b-56e9f0fad45b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`**`%TC ]Ɋ& !XTC% F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=bc692da2-238b-49f1-8c1b-56e9f0fad45b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**X%TC ]Ɋ& !XTC% F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=bc692da2-238b-49f1-8c1b-56e9f0fad45b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=andX**X%TC ]Ɋ& !XTC% F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=bc692da2-238b-49f1-8c1b-56e9f0fad45b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pliX**X%TC ]Ɋ& !XTC% F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=bc692da2-238b-49f1-8c1b-56e9f0fad45b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=irX**%TC ]Ɋ& !TC% F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=bc692da2-238b-49f1-8c1b-56e9f0fad45b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=0882b1b5-7206-4656-b289-b3cdf3506494 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ge**%C ]Ɋ&  !C% F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=bc692da2-238b-49f1-8c1b-56e9f0fad45b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=0882b1b5-7206-4656-b289-b3cdf3506494 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sion**%D ]Ɋ& K!XD% F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fe1e01b2-2c6e-47a2-baf5-96059a593b2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **%D ]Ɋ& c!XD% F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fe1e01b2-2c6e-47a2-baf5-96059a593b2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ype**%D ]Ɋ& _!XD% F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fe1e01b2-2c6e-47a2-baf5-96059a593b2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **%D ]Ɋ& W!XD% F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fe1e01b2-2c6e-47a2-baf5-96059a593b2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**%D ]Ɋ& W!XD% F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fe1e01b2-2c6e-47a2-baf5-96059a593b2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=G**%D ]Ɋ& Y!XD% F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fe1e01b2-2c6e-47a2-baf5-96059a593b2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Acti**X%D ]Ɋ& !D% F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fe1e01b2-2c6e-47a2-baf5-96059a593b2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=6a2ade6f-f116-46d4-ab20-c869a8be6488 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oleHX**`%D ]Ɋ& !D% F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=fe1e01b2-2c6e-47a2-baf5-96059a593b2c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=6a2ade6f-f116-46d4-ab20-c869a8be6488 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** %D ]Ɋ& w !XD% F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8a603122-1eb1-4c87-8296-ca015e83740e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8%D ]Ɋ&  !XD% F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8a603122-1eb1-4c87-8296-ca015e83740e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t8**8%D ]Ɋ&  !XD% F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8a603122-1eb1-4c87-8296-ca015e83740e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= D8**0%D ]Ɋ&  !XD% F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8a603122-1eb1-4c87-8296-ca015e83740e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bc00**0%D ]Ɋ&  !XD% F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8a603122-1eb1-4c87-8296-ca015e83740e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$do0**0%D ]Ɋ&  !XD% F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8a603122-1eb1-4c87-8296-ca015e83740e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=wP0**%D ]Ɋ&  !D% F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8a603122-1eb1-4c87-8296-ca015e83740e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c6db6a15-9759-40f5-a161-5d3d6ef3782a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **%?D ]Ɋ&  !?D% F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=8a603122-1eb1-4c87-8296-ca015e83740e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c6db6a15-9759-40f5-a161-5d3d6ef3782a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  ]Ɋ& -FX?D% F&bin\health-check.ps1 EngineVersion=4.0 RunspaceId=1dd94f4f-cce9-4a8c-9d92-75301b4900b5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=F& ]Ɋ& ptEz:C% F&dLine=Co andPath= CommandLine== Xo=F<ElfChnk%&%&`@&ʛMu=VysMc&&** %?D ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !X?D% F&F%g>9{p(xlMD EventDatauoData !BinaryAliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=44827174-fc03-48a5-967c-1f1101fed15e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le ** %?D ]Ɋ&  !X?D% F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=44827174-fc03-48a5-967c-1f1101fed15e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** %?D ]Ɋ&  !X?D% F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=44827174-fc03-48a5-967c-1f1101fed15e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=and ** %?D ]Ɋ&  !X?D% F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=44827174-fc03-48a5-967c-1f1101fed15e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nre ** %?D ]Ɋ&  !X?D% F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=44827174-fc03-48a5-967c-1f1101fed15e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** %?D ]Ɋ&  !X?D% F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=44827174-fc03-48a5-967c-1f1101fed15e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ho ** %?D ]Ɋ& e !?D% F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=44827174-fc03-48a5-967c-1f1101fed15e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c2bb7d35-4cd7-43e8-be92-c544704f9634 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le ** %D ]Ɋ& q !D% F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=44827174-fc03-48a5-967c-1f1101fed15e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c2bb7d35-4cd7-43e8-be92-c544704f9634 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omma **%D ]Ɋ& 7!XD% F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=aedc7ff6-487b-4069-ad9d-fee044b5ed1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**%D ]Ɋ& O!XD% F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=aedc7ff6-487b-4069-ad9d-fee044b5ed1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P**%D ]Ɋ& K!XD% F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=aedc7ff6-487b-4069-ad9d-fee044b5ed1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tem**%D ]Ɋ& C!XD% F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=aedc7ff6-487b-4069-ad9d-fee044b5ed1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**%D ]Ɋ& C!XD% F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=aedc7ff6-487b-4069-ad9d-fee044b5ed1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= F**%D ]Ɋ& E!XD% F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=aedc7ff6-487b-4069-ad9d-fee044b5ed1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=%**@%D ]Ɋ& !D% F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=aedc7ff6-487b-4069-ad9d-fee044b5ed1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=53f034a9-f8d6-481f-9ec3-da1b9db6fd8e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e@**P%CpD ]Ɋ& !CpD% F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=aedc7ff6-487b-4069-ad9d-fee044b5ed1f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=53f034a9-f8d6-481f-9ec3-da1b9db6fd8e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oppeP**H% %D ]Ɋ& !X %D% F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6c588cf4-ab13-401e-a4dc-a3eeeb01ecbc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`% %D ]Ɋ& !X %D% F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6c588cf4-ab13-401e-a4dc-a3eeeb01ecbc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$`**`% %D ]Ɋ& !X %D% F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6c588cf4-ab13-401e-a4dc-a3eeeb01ecbc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$ma`**X% %D ]Ɋ& !X %D% F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6c588cf4-ab13-401e-a4dc-a3eeeb01ecbc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ablX**X% %D ]Ɋ& !X %D% F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6c588cf4-ab13-401e-a4dc-a3eeeb01ecbc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-4cX**X% %D ]Ɋ& !X %D% F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6c588cf4-ab13-401e-a4dc-a3eeeb01ecbc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=enX**% %D ]Ɋ& ! %D% F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6c588cf4-ab13-401e-a4dc-a3eeeb01ecbc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=c8635a9e-9de9-49b1-953f-9d75890d2114 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rs**%iD ]Ɋ&  !iD% F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6c588cf4-ab13-401e-a4dc-a3eeeb01ecbc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=c8635a9e-9de9-49b1-953f-9d75890d2114 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ho**X%w˰D ]Ɋ&  !Xw˰D% F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=21fe0dd7-265f-4f9a-a06f-36907f2bdf43 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p&w˰D ]Ɋ&  !Xw˰D& F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=21fe0dd7-265f-4f9a-a06f-36907f2bdf43 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=31p**p&w˰D ]Ɋ&  !Xw˰D& F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=21fe0dd7-265f-4f9a-a06f-36907f2bdf43 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=40e p**h&w˰D ]Ɋ&  !Xw˰D& F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=21fe0dd7-265f-4f9a-a06f-36907f2bdf43 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=shelh**h&w˰D ]Ɋ&  !Xw˰D& F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=21fe0dd7-265f-4f9a-a06f-36907f2bdf43 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tApph**h&w˰D ]Ɋ&  !Xw˰D& F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=21fe0dd7-265f-4f9a-a06f-36907f2bdf43 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==hF& ]Ɋ& w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk&&&&}gMu=VysMc&&**&w˰D ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !w˰D& F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=21fe0dd7-265f-4f9a-a06f-36907f2bdf43 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ab5626b3-f7cb-4826-904f-503fbcf14c72 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**&w˰D ]Ɋ& !w˰D& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=21fe0dd7-265f-4f9a-a06f-36907f2bdf43 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ab5626b3-f7cb-4826-904f-503fbcf14c72 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X&#D ]Ɋ&  !X#D& F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=06cf15d9-1832-4f6a-a471-fb8706e90894 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=drX**p&#D ]Ɋ&  !X#D& F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=06cf15d9-1832-4f6a-a471-fb8706e90894 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=p**p &#D ]Ɋ&  !X#D & F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=06cf15d9-1832-4f6a-a471-fb8706e90894 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=daptp**h &#D ]Ɋ&  !X#D & F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=06cf15d9-1832-4f6a-a471-fb8706e90894 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oProh**h &#D ]Ɋ&  !X#D & F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=06cf15d9-1832-4f6a-a471-fb8706e90894 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**h &#D ]Ɋ&  !X#D & F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=06cf15d9-1832-4f6a-a471-fb8706e90894 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ameh** &#D ]Ɋ&  !#D & F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=06cf15d9-1832-4f6a-a471-fb8706e90894 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=eb9b1c43-3ec8-4171-8eb9-0c78395d6831 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omm**&#D ]Ɋ& !#D& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=06cf15d9-1832-4f6a-a471-fb8706e90894 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=eb9b1c43-3ec8-4171-8eb9-0c78395d6831 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** &#D ]Ɋ& w !X#D& F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5c1ce372-3280-4439-9edd-e3e6dc9a8942 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H **8&#D ]Ɋ&  !X#D& F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5c1ce372-3280-4439-9edd-e3e6dc9a8942 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8&#D ]Ɋ&  !X#D& F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5c1ce372-3280-4439-9edd-e3e6dc9a8942 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nce8**0&#D ]Ɋ&  !X#D& F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5c1ce372-3280-4439-9edd-e3e6dc9a8942 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0&#D ]Ɋ&  !X#D& F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5c1ce372-3280-4439-9edd-e3e6dc9a8942 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ced0**0&#D ]Ɋ&  !X#D& F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5c1ce372-3280-4439-9edd-e3e6dc9a8942 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**&HD ]Ɋ&  !HD& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5c1ce372-3280-4439-9edd-e3e6dc9a8942 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5b044dfb-bb6d-4dcc-8b16-47acd3f838e9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($uTyped.Enhan ]Ɋ& uTHD& F&ach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==hF& ]Ɋ& w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk&&&&&&x6Hm8Mu=VysMc&&**&HD ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! q!HD& F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=5c1ce372-3280-4439-9edd-e3e6dc9a8942 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5b044dfb-bb6d-4dcc-8b16-47acd3f838e9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**&TD ]Ɋ&  !XTD& F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c2133f22-1968-44c6-b9e9-9147f6c84344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Name**&TD ]Ɋ&  !XTD& F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c2133f22-1968-44c6-b9e9-9147f6c84344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=#**&TD ]Ɋ& !XTD& F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c2133f22-1968-44c6-b9e9-9147f6c84344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**&TD ]Ɋ&  !XTD& F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c2133f22-1968-44c6-b9e9-9147f6c84344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**&TD ]Ɋ&  !XTD& F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c2133f22-1968-44c6-b9e9-9147f6c84344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=st**&TD ]Ɋ&  !XTD& F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c2133f22-1968-44c6-b9e9-9147f6c84344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l**&TD ]Ɋ& O!TD& F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c2133f22-1968-44c6-b9e9-9147f6c84344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=6b8fb969-f0c8-47fd-8bce-e08e2e8385b1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**&TD ]Ɋ& [!TD& F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c2133f22-1968-44c6-b9e9-9147f6c84344 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=6b8fb969-f0c8-47fd-8bce-e08e2e8385b1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==06**8 &ED ]Ɋ&  !XED& F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=baf16bd3-e876-4013-8fbb-f335fe31d367 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8 **P &ED ]Ɋ&  !XED & F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=baf16bd3-e876-4013-8fbb-f335fe31d367 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=TyP **P !&ED ]Ɋ&  !XED!& F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=baf16bd3-e876-4013-8fbb-f335fe31d367 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= catP **H "&ED ]Ɋ&  !XED"& F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=baf16bd3-e876-4013-8fbb-f335fe31d367 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d $_H **H #&ED ]Ɋ&  !XED#& F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=baf16bd3-e876-4013-8fbb-f335fe31d367 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1 H **H $&ED ]Ɋ&  !XED$& F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=baf16bd3-e876-4013-8fbb-f335fe31d367 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erCH ** %&ED ]Ɋ&  !ED%& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=baf16bd3-e876-4013-8fbb-f335fe31d367 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=9e641b83-ee4c-4f46-b3e0-2a1682369db8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ile ** &&ED ]Ɋ&  !ED&& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=baf16bd3-e876-4013-8fbb-f335fe31d367 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=9e641b83-ee4c-4f46-b3e0-2a1682369db8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=- t $mac) {  ]Ɋ& rAXED'& F& $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=5b044dfb-bb6d-4dcc-8b16-47acd3f838e9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($uTyped.Enhan ]Ɋ& uTHD& F&ach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==hF& ]Ɋ& w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk'&<&'&<&(4Z5Mu=VysMc&&**('&ED ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XED'& F&F%g>9{p(xlMD EventDatauoData !BinaryT AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2961239a-8a00-4b3d-b457-8a387db9dd51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ty(**8(&ED ]Ɋ&  !XED(& F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2961239a-8a00-4b3d-b457-8a387db9dd51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n8**8)&ED ]Ɋ&  !XED)& F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2961239a-8a00-4b3d-b457-8a387db9dd51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=RNI8**0*&ED ]Ɋ&  !XED*& F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2961239a-8a00-4b3d-b457-8a387db9dd51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=the0**0+&ED ]Ɋ&  !XED+& F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2961239a-8a00-4b3d-b457-8a387db9dd51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ror0**0,&ED ]Ɋ&  !XED,& F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2961239a-8a00-4b3d-b457-8a387db9dd51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sc0**-&ED ]Ɋ&  !ED-& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2961239a-8a00-4b3d-b457-8a387db9dd51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=4d75828d-4090-443e-aa86-96f2dd78692d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bo**.&GD ]Ɋ&  !GD.& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=2961239a-8a00-4b3d-b457-8a387db9dd51 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=4d75828d-4090-443e-aa86-96f2dd78692d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Trig**/&GD ]Ɋ& K!XGD/& F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8476f55c-d713-4120-ae0e-a644bd64d62d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cti**0&GD ]Ɋ& c!XGD0& F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8476f55c-d713-4120-ae0e-a644bd64d62d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sBo**1&GD ]Ɋ& _!XGD1& F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8476f55c-d713-4120-ae0e-a644bd64d62d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **2&GD ]Ɋ& W!XGD2& F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8476f55c-d713-4120-ae0e-a644bd64d62d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**3&GD ]Ɋ& W!XGD3& F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8476f55c-d713-4120-ae0e-a644bd64d62d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**4&GD ]Ɋ& Y!XGD4& F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8476f55c-d713-4120-ae0e-a644bd64d62d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in32**X5&GD ]Ɋ& !GD5& F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8476f55c-d713-4120-ae0e-a644bd64d62d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=9a5fc387-b058-4575-899a-5eba9de70fb1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $shX**`6&vD ]Ɋ& !vD6& F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8476f55c-d713-4120-ae0e-a644bd64d62d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=9a5fc387-b058-4575-899a-5eba9de70fb1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s|`** 7&vD ]Ɋ& w !XvD7& F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f6087e2e-d805-4111-9e4f-da144ab919d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **88&vD ]Ɋ&  !XvD8& F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f6087e2e-d805-4111-9e4f-da144ab919d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**89&vD ]Ɋ&  !XvD9& F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f6087e2e-d805-4111-9e4f-da144ab919d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ins8**0:&vD ]Ɋ&  !XvD:& F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f6087e2e-d805-4111-9e4f-da144ab919d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=are0**0;&vD ]Ɋ&  !XvD;& F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f6087e2e-d805-4111-9e4f-da144ab919d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -0**0<&vD ]Ɋ&  !XvD<& F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f6087e2e-d805-4111-9e4f-da144ab919d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== 0CommandName= ]Ɋ& CovD=& F& ]Ɋ& w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk=&O&=&O&W[Mu=VysMc&&**=&vD ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! e!vD=& F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f6087e2e-d805-4111-9e4f-da144ab919d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=08ca3e9a-8357-4393-8eb2-7e78f358fbe5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**>&vD ]Ɋ&  !vD>& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=f6087e2e-d805-4111-9e4f-da144ab919d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=08ca3e9a-8357-4393-8eb2-7e78f358fbe5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=&** ?&tD ]Ɋ&  !XtD?& F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=397c25a4-f656-4cbf-a54b-e5795fb45644 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_ ** @&tD ]Ɋ&  !XtD@& F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=397c25a4-f656-4cbf-a54b-e5795fb45644 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** A&tD ]Ɋ&  !XtDA& F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=397c25a4-f656-4cbf-a54b-e5795fb45644 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=C ** B&tD ]Ɋ&  !XtDB& F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=397c25a4-f656-4cbf-a54b-e5795fb45644 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=jec ** C&tD ]Ɋ&  !XtDC& F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=397c25a4-f656-4cbf-a54b-e5795fb45644 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ada ** D&tD ]Ɋ&  !XtDD& F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=397c25a4-f656-4cbf-a54b-e5795fb45644 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-N ** E&tD ]Ɋ& e !tDE& F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=397c25a4-f656-4cbf-a54b-e5795fb45644 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=460b5dce-4973-4f1d-9f96-83fee682237b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}  **XF&tD ]Ɋ&  !XtDF& F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=37b66b89-7bf5-46c2-b898-4f50a6b172de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=elX**pG&tD ]Ɋ&  !XtDG& F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=37b66b89-7bf5-46c2-b898-4f50a6b172de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**pH&tD ]Ɋ&  !XtDH& F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=37b66b89-7bf5-46c2-b898-4f50a6b172de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=actip**hI&tD ]Ɋ&  !XtDI& F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=37b66b89-7bf5-46c2-b898-4f50a6b172de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=son h**hJ&tD ]Ɋ&  !XtDJ& F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=37b66b89-7bf5-46c2-b898-4f50a6b172de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ih**hK&tD ]Ɋ&  !XtDK& F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=37b66b89-7bf5-46c2-b898-4f50a6b172de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pteh**L&tD ]Ɋ&  !tDL& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=37b66b89-7bf5-46c2-b898-4f50a6b172de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d1bc9cfa-7081-470b-b2dd-8121a13b2141 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ ** M&tD ]Ɋ& q !tDM& F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=397c25a4-f656-4cbf-a54b-e5795fb45644 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=460b5dce-4973-4f1d-9f96-83fee682237b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f (G **N&tD ]Ɋ& !tDN& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=37b66b89-7bf5-46c2-b898-4f50a6b172de HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d1bc9cfa-7081-470b-b2dd-8121a13b2141 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=G**XO&tD ]Ɋ&  !XtDO& F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=39d03188-1fde-4af9-a37d-0e0fb090c230 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=inXionPrefix '0 ]Ɋ& trXtDP& F&Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== 0CommandName= ]Ɋ& CovD=& F& ]Ɋ& w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnkP&q&P&q&hp}Mu=VysMc&&**xP&tD ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! U!XtDP& F&F%g>9{p(xlMD EventDatauoData !Binary EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=39d03188-1fde-4af9-a37d-0e0fb090c230 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=inex**pQ&tD ]Ɋ&  !XtDQ& F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=39d03188-1fde-4af9-a37d-0e0fb090c230 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Pathp**hR&tD ]Ɋ&  !XtDR& F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=39d03188-1fde-4af9-a37d-0e0fb090c230 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=terfh**hS&tD ]Ɋ&  !XtDS& F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=39d03188-1fde-4af9-a37d-0e0fb090c230 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Id= h**hT&tD ]Ɋ&  !XtDT& F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=39d03188-1fde-4af9-a37d-0e0fb090c230 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=apth**U&tD ]Ɋ&  !tDU& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=39d03188-1fde-4af9-a37d-0e0fb090c230 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=3bada235-eaef-402a-9b45-dfbd48cccf41 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ceI**V&tD ]Ɋ& 7!XtDV& F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8f24887f-a31f-410e-9734-41243efcf047 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**W&tD ]Ɋ& O!XtDW& F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8f24887f-a31f-410e-9734-41243efcf047 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X&tD ]Ɋ& K!XtDX& F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8f24887f-a31f-410e-9734-41243efcf047 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=g.S**Y&tD ]Ɋ& C!XtDY& F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8f24887f-a31f-410e-9734-41243efcf047 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Wri**Z&tD ]Ɋ& C!XtDZ& F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8f24887f-a31f-410e-9734-41243efcf047 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gna**[&tD ]Ɋ& E!XtD[& F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8f24887f-a31f-410e-9734-41243efcf047 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ku**\&tD ]Ɋ& !tD\& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=39d03188-1fde-4af9-a37d-0e0fb090c230 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=3bada235-eaef-402a-9b45-dfbd48cccf41 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**@]&tD ]Ɋ& !tD]& F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8f24887f-a31f-410e-9734-41243efcf047 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=061517c9-e5a9-46ea-997b-439d848852aa PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti@**P^& D ]Ɋ& ! D^& F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8f24887f-a31f-410e-9734-41243efcf047 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=061517c9-e5a9-46ea-997b-439d848852aa PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } |P**_&D ]Ɋ& U!XD_& F&2AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=72d551c9-de59-44f7-aafe-8bb46d7215ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **`&D ]Ɋ& m!XD`& F&JEnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=72d551c9-de59-44f7-aafe-8bb46d7215ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lP**a&D ]Ɋ& i!XDa& F&FFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=72d551c9-de59-44f7-aafe-8bb46d7215ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **b&D ]Ɋ& a!XDb& F&>FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=72d551c9-de59-44f7-aafe-8bb46d7215ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**c&D ]Ɋ& a!XDc& F&>RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=72d551c9-de59-44f7-aafe-8bb46d7215ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sage**d&D ]Ɋ& c!XDd& F&@VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=72d551c9-de59-44f7-aafe-8bb46d7215ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t **`e&D ]Ɋ& !De& F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=72d551c9-de59-44f7-aafe-8bb46d7215ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=173d21e4-468f-483d-b2bc-26326da40162 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ber`**hf&D ]Ɋ& !Df& F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=72d551c9-de59-44f7-aafe-8bb46d7215ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=173d21e4-468f-483d-b2bc-26326da40162 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ph**Hg&~LE ]Ɋ& !X~LEg& F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=33d2cd75-c3ea-403b-9af3-72b387a297ad HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=TH**`h&~LE ]Ɋ& !X~LEh& F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=33d2cd75-c3ea-403b-9af3-72b387a297ad HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t`**`i&~LE ]Ɋ& !X~LEi& F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=33d2cd75-c3ea-403b-9af3-72b387a297ad HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ver`**Xj&~LE ]Ɋ& !X~LEj& F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=33d2cd75-c3ea-403b-9af3-72b387a297ad HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== X**Xk&~LE ]Ɋ& !X~LEk& F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=33d2cd75-c3ea-403b-9af3-72b387a297ad HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { X**Xl&~LE ]Ɋ& !X~LEl& F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=33d2cd75-c3ea-403b-9af3-72b387a297ad HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= UX**m&~LE ]Ɋ& !~LEm& F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=33d2cd75-c3ea-403b-9af3-72b387a297ad HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=fa7c972f-9335-42b8-a0b6-8e025bafdfb9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:$**n&- pE ]Ɋ&  !- pEn& F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=33d2cd75-c3ea-403b-9af3-72b387a297ad HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=fa7c972f-9335-42b8-a0b6-8e025bafdfb9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=olic**o&vE ]Ɋ& K!XvEo& F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b21ebddb-7cf5-4bed-9b55-5fe061c35263 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Oid**p&vE ]Ɋ& c!XvEp& F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b21ebddb-7cf5-4bed-9b55-5fe061c35263 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**q&vE ]Ɋ& _!XvEq& F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b21ebddb-7cf5-4bed-9b55-5fe061c35263 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= nd $_.Defaul ]Ɋ&  -XvEr& F&fg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== 0CommandName= ]Ɋ& CovD=& F& ]Ɋ& w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnkr&&r&&xhXwMu=VysMc&&** r&vE ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XvEr& F&F%g>9{p(xlMD EventDatauoData !Binary4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b21ebddb-7cf5-4bed-9b55-5fe061c35263 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SU **s&vE ]Ɋ& W!XvEs& F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b21ebddb-7cf5-4bed-9b55-5fe061c35263 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**t&vE ]Ɋ& Y!XvEt& F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b21ebddb-7cf5-4bed-9b55-5fe061c35263 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= (-n**Xu&vE ]Ɋ& !vEu& F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b21ebddb-7cf5-4bed-9b55-5fe061c35263 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=24f311cb-a4ff-4f32-a8af-2c9425b23d14 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uritX**`v&vE ]Ɋ& !vEv& F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b21ebddb-7cf5-4bed-9b55-5fe061c35263 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=24f311cb-a4ff-4f32-a8af-2c9425b23d14 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=39`** w&vE ]Ɋ& w !XvEw& F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=340d7421-e428-478a-a060-035d2e55fc91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o **8x&vE ]Ɋ&  !XvEx& F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=340d7421-e428-478a-a060-035d2e55fc91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m8**8y&vE ]Ɋ&  !XvEy& F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=340d7421-e428-478a-a060-035d2e55fc91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=neS8**0z&vE ]Ɋ&  !XvEz& F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=340d7421-e428-478a-a060-035d2e55fc91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= F0**0{&vE ]Ɋ&  !XvE{& F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=340d7421-e428-478a-a060-035d2e55fc91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=et-0**0|&vE ]Ɋ&  !XvE|& F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=340d7421-e428-478a-a060-035d2e55fc91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== 0**}&vE ]Ɋ&  !vE}& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=340d7421-e428-478a-a060-035d2e55fc91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=89cc0d92-a9c1-4acc-9747-7161fc220010 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Us**~&;GwE ]Ɋ&  !;GwE~& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=340d7421-e428-478a-a060-035d2e55fc91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=89cc0d92-a9c1-4acc-9747-7161fc220010 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er=1** &;GwE ]Ɋ&  !X;GwE& F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5c8e900e-6272-41ac-8d3e-013c07c649df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o ** &;GwE ]Ɋ&  !X;GwE& F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5c8e900e-6272-41ac-8d3e-013c07c649df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** &;GwE ]Ɋ&  !X;GwE& F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5c8e900e-6272-41ac-8d3e-013c07c649df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sio ** &;GwE ]Ɋ&  !X;GwE& F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5c8e900e-6272-41ac-8d3e-013c07c649df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { ** &;GwE ]Ɋ&  !X;GwE& F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5c8e900e-6272-41ac-8d3e-013c07c649df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Wi ** &;GwE ]Ɋ&  !X;GwE& F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5c8e900e-6272-41ac-8d3e-013c07c649df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** &;GwE ]Ɋ& e !;GwE& F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5c8e900e-6272-41ac-8d3e-013c07c649df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=5af4c146-5b3b-4ff3-a26f-beb56bdf9e5d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rt ** &;GwE ]Ɋ& q !;GwE& F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5c8e900e-6272-41ac-8d3e-013c07c649df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=5af4c146-5b3b-4ff3-a26f-beb56bdf9e5d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=75-c **&;GwE ]Ɋ& 7!X;GwE& F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=da3cfea3-2d23-43cd-873a-e2f7da9656a6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **&;GwE ]Ɋ& O!X;GwE& F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=da3cfea3-2d23-43cd-873a-e2f7da9656a6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**&;GwE ]Ɋ& K!X;GwE& F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=da3cfea3-2d23-43cd-873a-e2f7da9656a6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=las**&;GwE ]Ɋ& C!X;GwE& F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=da3cfea3-2d23-43cd-873a-e2f7da9656a6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ceI PipelineI ]Ɋ&  X;GwE& F&= 0CommandName= ]Ɋ& CovD=& F& ]Ɋ& w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk&&&&X"JvMu=VysMc&&** &;GwE ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X;GwE& F&F%g>9{p(xlMD EventDatauoData !Binary RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=da3cfea3-2d23-43cd-873a-e2f7da9656a6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **&;GwE ]Ɋ& E!X;GwE& F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=da3cfea3-2d23-43cd-873a-e2f7da9656a6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h=**@&;GwE ]Ɋ& !;GwE& F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=da3cfea3-2d23-43cd-873a-e2f7da9656a6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=eea2d13b-34c7-43d5-9d00-e48d064e9a23 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=&@**P&wE ]Ɋ& !wE& F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=da3cfea3-2d23-43cd-873a-e2f7da9656a6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=eea2d13b-34c7-43d5-9d00-e48d064e9a23 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**P**H&E ]Ɋ& !XE& F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=49859b96-4dec-4ddd-9222-a9040eae340d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SH**`&E ]Ɋ& !XE& F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=49859b96-4dec-4ddd-9222-a9040eae340d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l`**`&E ]Ɋ& !XE& F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=49859b96-4dec-4ddd-9222-a9040eae340d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ($`**X&E ]Ɋ& !XE& F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=49859b96-4dec-4ddd-9222-a9040eae340d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= elX**X&E ]Ɋ& !XE& F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=49859b96-4dec-4ddd-9222-a9040eae340d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=StaX**X&E ]Ɋ& !XE& F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=49859b96-4dec-4ddd-9222-a9040eae340d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**&E ]Ɋ& !E& F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=49859b96-4dec-4ddd-9222-a9040eae340d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=ced33177-df55-42af-a10e-2df682071ee3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti**&BqF ]Ɋ&  !BqF& F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=49859b96-4dec-4ddd-9222-a9040eae340d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=ced33177-df55-42af-a10e-2df682071ee3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h **&l(F ]Ɋ& K!Xl(F& F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=74c23de1-73ec-4bec-b391-a9e83c0f5bc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **&l(F ]Ɋ& c!Xl(F& F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=74c23de1-73ec-4bec-b391-a9e83c0f5bc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Add**&l(F ]Ɋ& _!Xl(F& F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=74c23de1-73ec-4bec-b391-a9e83c0f5bc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **&l(F ]Ɋ& W!Xl(F& F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=74c23de1-73ec-4bec-b391-a9e83c0f5bc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P**&l(F ]Ɋ& W!Xl(F& F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=74c23de1-73ec-4bec-b391-a9e83c0f5bc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **&l(F ]Ɋ& Y!Xl(F& F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=74c23de1-73ec-4bec-b391-a9e83c0f5bc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X&l(F ]Ɋ& !l(F& F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=74c23de1-73ec-4bec-b391-a9e83c0f5bc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=de86f96d-87af-40fd-ba15-01d6bbc7654e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=vEX**`&)F ]Ɋ& !)F& F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=74c23de1-73ec-4bec-b391-a9e83c0f5bc0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=de86f96d-87af-40fd-ba15-01d6bbc7654e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dr`** &)F ]Ɋ& w !X)F& F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3fedde5b-29e2-4caa-ab6a-a61d31719912 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **8&)F ]Ɋ&  !X)F& F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3fedde5b-29e2-4caa-ab6a-a61d31719912 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=F8**8&)F ]Ɋ&  !X)F& F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3fedde5b-29e2-4caa-ab6a-a61d31719912 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Dom8**0&)F ]Ɋ&  !X)F& F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3fedde5b-29e2-4caa-ab6a-a61d31719912 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rNa0**0&)F ]Ɋ&  !X)F& F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3fedde5b-29e2-4caa-ab6a-a61d31719912 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Con0**0&)F ]Ɋ&  !X)F& F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3fedde5b-29e2-4caa-ab6a-a61d31719912 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=;Gw0**&)F ]Ɋ&  !)F& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3fedde5b-29e2-4caa-ab6a-a61d31719912 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=431f42a9-2b6a-48fd-b84a-14df116da5f2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=am**&*F ]Ɋ&  !*F& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=3fedde5b-29e2-4caa-ab6a-a61d31719912 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=431f42a9-2b6a-48fd-b84a-14df116da5f2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=6bdf** &*F ]Ɋ&  !X*F& F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4eaccbd0-b0ad-4d4a-b27b-9bf05d80452e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** &*F ]Ɋ&  !X*F& F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4eaccbd0-b0ad-4d4a-b27b-9bf05d80452e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t ProviderNa ]Ɋ& enX*F& F&leHost HostVersion=4.0 HostId=da3cfea3-2d23-43cd-873a-e2f7da9656a6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ceI PipelineI ]Ɋ&  X;GwE& F&= 0CommandName= ]Ɋ& CovD=& F& ]Ɋ& w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk&&&&H`kpMu=VysMc&&** &*F ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !X*F& F&F%g>9{p(xlMD EventDatauoData !BinaryFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4eaccbd0-b0ad-4d4a-b27b-9bf05d80452e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** &*F ]Ɋ&  !X*F& F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4eaccbd0-b0ad-4d4a-b27b-9bf05d80452e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=equ ** &*F ]Ɋ&  !X*F& F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4eaccbd0-b0ad-4d4a-b27b-9bf05d80452e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** &*F ]Ɋ&  !X*F& F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4eaccbd0-b0ad-4d4a-b27b-9bf05d80452e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==C ** &*F ]Ɋ& e !*F& F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4eaccbd0-b0ad-4d4a-b27b-9bf05d80452e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=7ff109fa-b227-41e5-9b0a-702e1727b507 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=id ** &*F ]Ɋ& q !*F& F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4eaccbd0-b0ad-4d4a-b27b-9bf05d80452e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=7ff109fa-b227-41e5-9b0a-702e1727b507 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ineI **&0*F ]Ɋ& 7!X0*F& F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2e432926-69ea-4800-8f2a-9f6ee7b8df89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**&0*F ]Ɋ& O!X0*F& F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2e432926-69ea-4800-8f2a-9f6ee7b8df89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **&0*F ]Ɋ& K!X0*F& F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2e432926-69ea-4800-8f2a-9f6ee7b8df89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gin**&0*F ]Ɋ& C!X0*F& F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2e432926-69ea-4800-8f2a-9f6ee7b8df89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ss **&0*F ]Ɋ& C!X0*F& F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2e432926-69ea-4800-8f2a-9f6ee7b8df89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -C**&0*F ]Ɋ& E!X0*F& F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2e432926-69ea-4800-8f2a-9f6ee7b8df89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tT**@&0*F ]Ɋ& !0*F& F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2e432926-69ea-4800-8f2a-9f6ee7b8df89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=27ee13c4-80f0-4bee-a1a5-5d7d6d8accc7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eV@**P&0*F ]Ɋ& !0*F& F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2e432926-69ea-4800-8f2a-9f6ee7b8df89 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=27ee13c4-80f0-4bee-a1a5-5d7d6d8accc7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ess P**H&:F ]Ɋ& !X:F& F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b8efc24f-28ec-4256-94f2-ab08c5514c50 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cH**`&:F ]Ɋ& !X:F& F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b8efc24f-28ec-4256-94f2-ab08c5514c50 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`&:F ]Ɋ& !X:F& F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b8efc24f-28ec-4256-94f2-ab08c5514c50 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_`**X&:F ]Ɋ& !X:F& F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b8efc24f-28ec-4256-94f2-ab08c5514c50 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e5bX**X&:F ]Ɋ& !X:F& F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b8efc24f-28ec-4256-94f2-ab08c5514c50 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ctiX**X&:F ]Ɋ& !X:F& F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b8efc24f-28ec-4256-94f2-ab08c5514c50 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GaX**&:F ]Ɋ& !:F& F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b8efc24f-28ec-4256-94f2-ab08c5514c50 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=47879fe9-a73e-448b-bb0d-6373d9d53149 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te**&:F ]Ɋ&  !:F& F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b8efc24f-28ec-4256-94f2-ab08c5514c50 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=47879fe9-a73e-448b-bb0d-6373d9d53149 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= = G**X&9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=343815db-66af-4378-93bb-eead7e724831 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5a5b41ec-7f55-4ec9-b14c-d051d5f515aa PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sC**X&b-F ]Ɋ&  !Xb-F& F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=11b634e1-d3b9-459d-8191-3ad12510050b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p&b-F ]Ɋ&  !Xb-F& F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=11b634e1-d3b9-459d-8191-3ad12510050b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eIp**p&b-F ]Ɋ&  !Xb-F& F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=11b634e1-d3b9-459d-8191-3ad12510050b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ineVp**h&b-F ]Ɋ&  !Xb-F& F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=11b634e1-d3b9-459d-8191-3ad12510050b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**h&b-F ]Ɋ&  !Xb-F& F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=11b634e1-d3b9-459d-8191-3ad12510050b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ect h**h&b-F ]Ɋ&  !Xb-F& F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=11b634e1-d3b9-459d-8191-3ad12510050b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**&b-F ]Ɋ&  !b-F& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=11b634e1-d3b9-459d-8191-3ad12510050b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=05b28c47-956b-4889-afbc-13f6f35410c7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C**&b-F ]Ɋ& !b-F& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=11b634e1-d3b9-459d-8191-3ad12510050b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=05b28c47-956b-4889-afbc-13f6f35410c7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==** &b-F ]Ɋ& w !Xb-F& F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=603ac155-a685-4a6d-8b54-40726f8e66a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9 **8&b-F ]Ɋ&  !Xb-F& F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=603ac155-a685-4a6d-8b54-40726f8e66a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8&b-F ]Ɋ&  !Xb-F& F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=603ac155-a685-4a6d-8b54-40726f8e66a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nso8**0&b-F ]Ɋ&  !Xb-F& F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=603ac155-a685-4a6d-8b54-40726f8e66a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=enc0**0&b-F ]Ɋ&  !Xb-F& F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=603ac155-a685-4a6d-8b54-40726f8e66a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ovi0**0&b-F ]Ɋ&  !Xb-F& F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=603ac155-a685-4a6d-8b54-40726f8e66a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ov0**&b-F ]Ɋ&  !b-F& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=603ac155-a685-4a6d-8b54-40726f8e66a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=04f227a2-4686-4d9c-8a56-e759ed708ad2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=va**&F ]Ɋ&  !F& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=603ac155-a685-4a6d-8b54-40726f8e66a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=04f227a2-4686-4d9c-8a56-e759ed708ad2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=habl -and $_.Lin ]Ɋ& reXF& F&ceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ceI PipelineI ]Ɋ&  X;GwE& F&= 0CommandName= ]Ɋ& CovD=& F& ]Ɋ& w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk&&&&*H:I.Mu=VysMc&&**&F ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XF& F&F%g>9{p(xlMD EventDatauoData !Binary AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=13b2089c-465a-41c0-bceb-cdb89ca66404 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **&F ]Ɋ&  !XF& F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=13b2089c-465a-41c0-bceb-cdb89ca66404 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**&F ]Ɋ& !XF& F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=13b2089c-465a-41c0-bceb-cdb89ca66404 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**&F ]Ɋ&  !XF& F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=13b2089c-465a-41c0-bceb-cdb89ca66404 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FӨ**&F ]Ɋ&  !XF& F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=13b2089c-465a-41c0-bceb-cdb89ca66404 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ov**&F ]Ɋ&  !XF& F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=13b2089c-465a-41c0-bceb-cdb89ca66404 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**&F ]Ɋ& O!F& F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=13b2089c-465a-41c0-bceb-cdb89ca66404 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=d0dae431-48c1-49a2-ad27-0a4a4c67ca6f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**&^F ]Ɋ& [!^F& F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=13b2089c-465a-41c0-bceb-cdb89ca66404 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=d0dae431-48c1-49a2-ad27-0a4a4c67ca6f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=59d**8 &F ]Ɋ&  !XF& F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a7c987c7-4e88-4851-945b-6b8460dd9a46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8 **P &F ]Ɋ&  !XF& F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a7c987c7-4e88-4851-945b-6b8460dd9a46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=meP **P &F ]Ɋ&  !XF& F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a7c987c7-4e88-4851-945b-6b8460dd9a46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gnorP **H &F ]Ɋ&  !XF& F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a7c987c7-4e88-4851-945b-6b8460dd9a46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tewaH **H &F ]Ɋ&  !XF& F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a7c987c7-4e88-4851-945b-6b8460dd9a46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H **H &F ]Ɋ&  !XF& F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a7c987c7-4e88-4851-945b-6b8460dd9a46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=| WH ** &C#F ]Ɋ&  !C#F& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a7c987c7-4e88-4851-945b-6b8460dd9a46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=95c0526d-7185-4588-b582-fdd5a09ef0e7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { ** &C#F ]Ɋ&  !C#F& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a7c987c7-4e88-4851-945b-6b8460dd9a46 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=95c0526d-7185-4588-b582-fdd5a09ef0e7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r ** &C#F ]Ɋ& w !XC#F& F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9ee12dc6-a01d-44b2-acef-66c0803921d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t  { # ignor ]Ɋ&  iXC#F& F&e -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=04f227a2-4686-4d9c-8a56-e759ed708ad2 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=habl -and $_.Lin ]Ɋ& reXF& F&ceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ceI PipelineI ]Ɋ&  X;GwE& F&= 0CommandName= ]Ɋ& CovD=& F& ]Ɋ& w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk&&&&WGªMu=VysMc&&**@&C#F ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XC#F& F&F%g>9{p(xlMD EventDatauoData !Binaryl EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9ee12dc6-a01d-44b2-acef-66c0803921d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== @**8&C#F ]Ɋ&  !XC#F& F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9ee12dc6-a01d-44b2-acef-66c0803921d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sio8**0&C#F ]Ɋ&  !XC#F& F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9ee12dc6-a01d-44b2-acef-66c0803921d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Out0**0&C#F ]Ɋ&  !XC#F& F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9ee12dc6-a01d-44b2-acef-66c0803921d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l -0**0&C#F ]Ɋ&  !XC#F& F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9ee12dc6-a01d-44b2-acef-66c0803921d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-E0**&C#F ]Ɋ&  !C#F& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9ee12dc6-a01d-44b2-acef-66c0803921d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=9d5d5000-4214-4ee7-a38f-3b2b2d5f6513 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Tr**&ڻF ]Ɋ&  !ڻF& F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=9ee12dc6-a01d-44b2-acef-66c0803921d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=9d5d5000-4214-4ee7-a38f-3b2b2d5f6513 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ame **&ڻF ]Ɋ& K!XڻF& F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=432bd7e4-f8a2-4c7f-ab29-b3a51d261151 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ept**&ڻF ]Ɋ& c!XڻF& F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=432bd7e4-f8a2-4c7f-ab29-b3a51d261151 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s) **&ڻF ]Ɋ& _!XڻF& F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=432bd7e4-f8a2-4c7f-ab29-b3a51d261151 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**&ڻF ]Ɋ& W!XڻF& F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=432bd7e4-f8a2-4c7f-ab29-b3a51d261151 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-**&ڻF ]Ɋ& W!XڻF& F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=432bd7e4-f8a2-4c7f-ab29-b3a51d261151 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u**&ڻF ]Ɋ& Y!XڻF& F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=432bd7e4-f8a2-4c7f-ab29-b3a51d261151 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h ($**X&ڻF ]Ɋ& !ڻF& F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=432bd7e4-f8a2-4c7f-ab29-b3a51d261151 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=bf9592ff-99bb-4185-9ba8-895f1d8ee46c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= tX**`&ڻF ]Ɋ& !ڻF& F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=432bd7e4-f8a2-4c7f-ab29-b3a51d261151 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=bf9592ff-99bb-4185-9ba8-895f1d8ee46c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=et`** &ڻF ]Ɋ& w !XڻF& F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=59ad0586-a264-404c-b8e0-90fd69fd5d1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P **8&ڻF ]Ɋ&  !XڻF& F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=59ad0586-a264-404c-b8e0-90fd69fd5d1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n8**8&ڻF ]Ɋ&  !XڻF& F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=59ad0586-a264-404c-b8e0-90fd69fd5d1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rAc8**0&ڻF ]Ɋ&  !XڻF& F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=59ad0586-a264-404c-b8e0-90fd69fd5d1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oc.0**0&ڻF ]Ɋ&  !XڻF& F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=59ad0586-a264-404c-b8e0-90fd69fd5d1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Kil0**0&ڻF ]Ɋ&  !XڻF& F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=59ad0586-a264-404c-b8e0-90fd69fd5d1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= (0**&ڻF ]Ɋ&  !ڻF& F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=59ad0586-a264-404c-b8e0-90fd69fd5d1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=cf3d694b-a1b4-4dc7-951b-73f242cb211c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C ]Ɋ& pTF& F&w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk&'&'̐cHV0Mu=VysMc&&**&pTF ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! q!pTF& F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=59ad0586-a264-404c-b8e0-90fd69fd5d1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=cf3d694b-a1b4-4dc7-951b-73f242cb211c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** &pTF ]Ɋ&  !XpTF& F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=500a54df-b63c-41f7-bcc1-262acb5118ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=W ** 'pTF ]Ɋ&  !XpTF' F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=500a54df-b63c-41f7-bcc1-262acb5118ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** 'pTF ]Ɋ&  !XpTF' F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=500a54df-b63c-41f7-bcc1-262acb5118ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ovi ** 'pTF ]Ɋ&  !XpTF' F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=500a54df-b63c-41f7-bcc1-262acb5118ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Ob ** 'pTF ]Ɋ&  !XpTF' F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=500a54df-b63c-41f7-bcc1-262acb5118ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sel ** 'pTF ]Ɋ&  !XpTF' F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=500a54df-b63c-41f7-bcc1-262acb5118ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-a ** 'pTF ]Ɋ& e !pTF' F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=500a54df-b63c-41f7-bcc1-262acb5118ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=1e4998fd-5ddb-4a6f-a91a-f4eabd0461bd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y  **X'F ]Ɋ&  !XF' F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4f623030-2df2-4688-b20e-4d76029a69d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edX**p'F ]Ɋ&  !XF' F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4f623030-2df2-4688-b20e-4d76029a69d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=anp**p'F ]Ɋ&  !XF' F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4f623030-2df2-4688-b20e-4d76029a69d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Hosp**h 'F ]Ɋ&  !XF ' F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4f623030-2df2-4688-b20e-4d76029a69d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1) {h**h 'F ]Ɋ&  !XF ' F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4f623030-2df2-4688-b20e-4d76029a69d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on Sh**h 'F ]Ɋ&  !XF ' F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4f623030-2df2-4688-b20e-4d76029a69d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ecth** 'F ]Ɋ&  !F ' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4f623030-2df2-4688-b20e-4d76029a69d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=4ec6c786-f6b5-4583-a3e9-b9afc84c653f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s -** 'F ]Ɋ& q !F ' F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=500a54df-b63c-41f7-bcc1-262acb5118ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=1e4998fd-5ddb-4a6f-a91a-f4eabd0461bd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rorA **'F ]Ɋ& !F' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4f623030-2df2-4688-b20e-4d76029a69d4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=4ec6c786-f6b5-4583-a3e9-b9afc84c653f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**X'F ]Ɋ&  !XF' F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=05bdba85-a695-4642-80b3-583449f53860 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=SiX**p'F ]Ɋ&  !XF' F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=05bdba85-a695-4642-80b3-583449f53860 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= =pet-NetRoute  ]Ɋ& utXF' F&f ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=cf3d694b-a1b4-4dc7-951b-73f242cb211c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=C ]Ɋ& pTF& F&w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk'4''4'6:LMu=VysMc&&**p'F ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! Q!XF' F&F%g>9{p(xlMD EventDatauoData !Binary FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=05bdba85-a695-4642-80b3-583449f53860 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Cp**h'F ]Ɋ&  !XF' F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=05bdba85-a695-4642-80b3-583449f53860 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndexh**h'F ]Ɋ&  !XF' F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=05bdba85-a695-4642-80b3-583449f53860 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mmanh**h'F ]Ɋ&  !XF' F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=05bdba85-a695-4642-80b3-583449f53860 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ h**'F ]Ɋ&  !F' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=05bdba85-a695-4642-80b3-583449f53860 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=dd02bad3-b709-4156-8b70-b58b2a4d832e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Pip**'F ]Ɋ& 7!XF' F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8b192a3e-3dfa-4382-b292-72137dc27c4a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=)**'F ]Ɋ& O!XF' F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8b192a3e-3dfa-4382-b292-72137dc27c4a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**'F ]Ɋ& K!XF' F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8b192a3e-3dfa-4382-b292-72137dc27c4a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -e**'F ]Ɋ& C!XF' F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8b192a3e-3dfa-4382-b292-72137dc27c4a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tpu**'F ]Ɋ& C!XF' F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8b192a3e-3dfa-4382-b292-72137dc27c4a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Li**'F ]Ɋ& E!XF' F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8b192a3e-3dfa-4382-b292-72137dc27c4a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **@'F ]Ɋ& !F' F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8b192a3e-3dfa-4382-b292-72137dc27c4a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=a1fe3464-4860-4ff4-a5cf-063931696322 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ow@**'F ]Ɋ& !F' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=05bdba85-a695-4642-80b3-583449f53860 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=dd02bad3-b709-4156-8b70-b58b2a4d832e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c**P'F ]Ɋ& !F' F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8b192a3e-3dfa-4382-b292-72137dc27c4a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=a1fe3464-4860-4ff4-a5cf-063931696322 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ect-P**'>G ]Ɋ& U!X>G' F&2AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9529eb0f-48cc-48e7-8406-8b405e27bfbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dT** '>G ]Ɋ& m!X>G ' F&JEnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9529eb0f-48cc-48e7-8406-8b405e27bfbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=at**!'>G ]Ɋ& i!X>G!' F&FFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9529eb0f-48cc-48e7-8406-8b405e27bfbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uTyp**"'>G ]Ɋ& a!X>G"' F&>FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9529eb0f-48cc-48e7-8406-8b405e27bfbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**#'>G ]Ɋ& a!X>G#' F&>RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9529eb0f-48cc-48e7-8406-8b405e27bfbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **$'>G ]Ɋ& c!X>G$' F&@VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9529eb0f-48cc-48e7-8406-8b405e27bfbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **`%'[G ]Ɋ& ![G%' F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9529eb0f-48cc-48e7-8406-8b405e27bfbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=aa2b8b30-8c30-4b48-82ab-47690439cfc5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**h&'[G ]Ɋ& ![G&' F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9529eb0f-48cc-48e7-8406-8b405e27bfbc HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=aa2b8b30-8c30-4b48-82ab-47690439cfc5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**H''feG ]Ɋ& !XfeG'' F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=39934ec6-eee9-445b-9872-0b4dcfceeb30 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=hH**`('feG ]Ɋ& !XfeG(' F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=39934ec6-eee9-445b-9872-0b4dcfceeb30 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=v`**`)'feG ]Ɋ& !XfeG)' F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=39934ec6-eee9-445b-9872-0b4dcfceeb30 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sse`**X*'feG ]Ɋ& !XfeG*' F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=39934ec6-eee9-445b-9872-0b4dcfceeb30 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=andX**X+'feG ]Ɋ& !XfeG+' F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=39934ec6-eee9-445b-9872-0b4dcfceeb30 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**X,'feG ]Ɋ& !XfeG,' F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=39934ec6-eee9-445b-9872-0b4dcfceeb30 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xtX**-'feG ]Ɋ& !feG-' F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=39934ec6-eee9-445b-9872-0b4dcfceeb30 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=0c540d89-f6fc-4a7e-b104-a6e03e2c288e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -**.'рG ]Ɋ&  !рG.' F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=39934ec6-eee9-445b-9872-0b4dcfceeb30 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=0c540d89-f6fc-4a7e-b104-a6e03e2c288e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pass**/'G ]Ɋ& K!XG/' F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9dee7aa4-925c-46ee-800d-90c7f99c9822 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -**0'G ]Ɋ& c!XG0' F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9dee7aa4-925c-46ee-800d-90c7f99c9822 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**1'G ]Ɋ& _!XG1' F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9dee7aa4-925c-46ee-800d-90c7f99c9822 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**2'G ]Ɋ& W!XG2' F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9dee7aa4-925c-46ee-800d-90c7f99c9822 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **3'G ]Ɋ& W!XG3' F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9dee7aa4-925c-46ee-800d-90c7f99c9822 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **4'G ]Ɋ& Y!XG4' F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9dee7aa4-925c-46ee-800d-90c7f99c9822 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndNa= CommandT ]Ɋ& =G5' F& pTF& F&w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk5'M'5'M'8xqD8Mu=VysMc&&**X 5'G ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! 9!G5' F&F%g>9{p(xlMD EventDatauoData !BinaryAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9dee7aa4-925c-46ee-800d-90c7f99c9822 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=c6844de7-ff6a-433b-b8db-4d32be0d5e40 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X **`6'G ]Ɋ& !G6' F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9dee7aa4-925c-46ee-800d-90c7f99c9822 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=c6844de7-ff6a-433b-b8db-4d32be0d5e40 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=(`** 7'G ]Ɋ& w !XG7' F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a5691aba-386d-4d90-994e-f375520746ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **88'G ]Ɋ&  !XG8' F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a5691aba-386d-4d90-994e-f375520746ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l8**89'G ]Ɋ&  !XG9' F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a5691aba-386d-4d90-994e-f375520746ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ore8**0:'G ]Ɋ&  !XG:' F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a5691aba-386d-4d90-994e-f375520746ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cat0**0;'G ]Ɋ&  !XG;' F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a5691aba-386d-4d90-994e-f375520746ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omm0**0<'G ]Ɋ&  !XG<' F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a5691aba-386d-4d90-994e-f375520746ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er0**='G ]Ɋ&  !G=' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a5691aba-386d-4d90-994e-f375520746ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=26a07b2d-09d0-495f-b0e6-5b43e939f17e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Js**>'8G ]Ɋ&  !8G>' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=a5691aba-386d-4d90-994e-f375520746ea HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=26a07b2d-09d0-495f-b0e6-5b43e939f17e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tput** ?'8G ]Ɋ&  !X8G?' F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7c7fad86-5a37-4385-a6e6-1f44fb4c224b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S ** @'8G ]Ɋ&  !X8G@' F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7c7fad86-5a37-4385-a6e6-1f44fb4c224b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d ** A'8G ]Ɋ&  !X8GA' F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7c7fad86-5a37-4385-a6e6-1f44fb4c224b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** B'8G ]Ɋ&  !X8GB' F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7c7fad86-5a37-4385-a6e6-1f44fb4c224b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** C'8G ]Ɋ&  !X8GC' F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7c7fad86-5a37-4385-a6e6-1f44fb4c224b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=b-4 ** D'8G ]Ɋ&  !X8GD' F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7c7fad86-5a37-4385-a6e6-1f44fb4c224b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** E'8G ]Ɋ& e !8GE' F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7c7fad86-5a37-4385-a6e6-1f44fb4c224b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=4ab626be-162a-4ed2-8cb3-bed6c50fac39 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ho ** F'$G ]Ɋ& q !$GF' F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7c7fad86-5a37-4385-a6e6-1f44fb4c224b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=4ab626be-162a-4ed2-8cb3-bed6c50fac39 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:\Pr **G'$G ]Ɋ& 7!X$GG' F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d3aafbf6-3956-4052-95dd-dcb2059b7124 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=T**H'$G ]Ɋ& O!X$GH' F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d3aafbf6-3956-4052-95dd-dcb2059b7124 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d**I'$G ]Ɋ& K!X$GI' F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d3aafbf6-3956-4052-95dd-dcb2059b7124 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nam**J'$G ]Ɋ& C!X$GJ' F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d3aafbf6-3956-4052-95dd-dcb2059b7124 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eId**K'$G ]Ɋ& C!X$GK' F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d3aafbf6-3956-4052-95dd-dcb2059b7124 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pi**L'$G ]Ɋ& E!X$GL' F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d3aafbf6-3956-4052-95dd-dcb2059b7124 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ce**@M'$G ]Ɋ& !$GM' F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d3aafbf6-3956-4052-95dd-dcb2059b7124 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=b2b45ba4-4af4-4e34-b588-edfc243e66c6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@ CommandTyp ]Ɋ& eGN' F& =G5' F& pTF& F&w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnkN'j'N'j'L2/Mu=VysMc&&**P N'eG ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! 1!eGN' F&F%g>9{p(xlMD EventDatauoData !Binary~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d3aafbf6-3956-4052-95dd-dcb2059b7124 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=b2b45ba4-4af4-4e34-b588-edfc243e66c6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P **HO'6H ]Ɋ& !X6HO' F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ab0335af-9ef6-48d8-a67c-00f23dda9187 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=zH**`P'6H ]Ɋ& !X6HP' F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ab0335af-9ef6-48d8-a67c-00f23dda9187 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p`**`Q'6H ]Ɋ& !X6HQ' F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ab0335af-9ef6-48d8-a67c-00f23dda9187 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**XR'6H ]Ɋ& !X6HR' F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ab0335af-9ef6-48d8-a67c-00f23dda9187 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 1 X**XS'6H ]Ɋ& !X6HS' F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ab0335af-9ef6-48d8-a67c-00f23dda9187 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ProX**XT'6H ]Ɋ& !X6HT' F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ab0335af-9ef6-48d8-a67c-00f23dda9187 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) X**U'6H ]Ɋ& !6HU' F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ab0335af-9ef6-48d8-a67c-00f23dda9187 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a18b6ae7-1313-4b2d-85c2-7b516bb1f1a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on**V'f8H ]Ɋ&  !f8HV' F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ab0335af-9ef6-48d8-a67c-00f23dda9187 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a18b6ae7-1313-4b2d-85c2-7b516bb1f1a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= FӸ**W'=H ]Ɋ& K!X=HW' F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5a4c2c24-6f73-4d69-8a63-077be1feeb24 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1 **X'=H ]Ɋ& c!X=HX' F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5a4c2c24-6f73-4d69-8a63-077be1feeb24 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$cf**Y'=H ]Ɋ& _!X=HY' F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5a4c2c24-6f73-4d69-8a63-077be1feeb24 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**Z'=H ]Ɋ& W!X=HZ' F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5a4c2c24-6f73-4d69-8a63-077be1feeb24 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=D**['=H ]Ɋ& W!X=H[' F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5a4c2c24-6f73-4d69-8a63-077be1feeb24 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**\'=H ]Ɋ& Y!X=H\' F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5a4c2c24-6f73-4d69-8a63-077be1feeb24 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y ne**X]'=H ]Ɋ& !=H]' F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5a4c2c24-6f73-4d69-8a63-077be1feeb24 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=2a822865-5ea5-49ea-8723-4225f1a30165 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=XX**`^'=H ]Ɋ& !=H^' F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5a4c2c24-6f73-4d69-8a63-077be1feeb24 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=2a822865-5ea5-49ea-8723-4225f1a30165 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er`** _'=H ]Ɋ& w !X=H_' F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e0abde68-fb33-4e27-80dd-c8ce0c184d6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d **8`'=H ]Ɋ&  !X=H`' F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e0abde68-fb33-4e27-80dd-c8ce0c184d6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=O8**8a'=H ]Ɋ&  !X=Ha' F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e0abde68-fb33-4e27-80dd-c8ce0c184d6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rIn8**0b'=H ]Ɋ&  !X=Hb' F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e0abde68-fb33-4e27-80dd-c8ce0c184d6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pr0**0c'=H ]Ɋ&  !X=Hc' F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e0abde68-fb33-4e27-80dd-c8ce0c184d6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= +=0**0d'=H ]Ɋ&  !X=Hd' F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e0abde68-fb33-4e27-80dd-c8ce0c184d6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=*0**e'=H ]Ɋ&  !=He' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e0abde68-fb33-4e27-80dd-c8ce0c184d6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=670fd184-cc5b-45e8-b222-3553d5a1f181 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ad**f'\>H ]Ɋ&  !\>Hf' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=e0abde68-fb33-4e27-80dd-c8ce0c184d6a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=670fd184-cc5b-45e8-b222-3553d5a1f181 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cb3-** g'\>H ]Ɋ&  !X\>Hg' F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2acc85ad-a7ca-4835-85b7-07a95b0420d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y ** h'\>H ]Ɋ&  !X\>Hh' F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2acc85ad-a7ca-4835-85b7-07a95b0420d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i ** i'\>H ]Ɋ&  !X\>Hi' F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2acc85ad-a7ca-4835-85b7-07a95b0420d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=to ** j'\>H ]Ɋ&  !X\>Hj' F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2acc85ad-a7ca-4835-85b7-07a95b0420d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-No nteractive - ]Ɋ& -NX\>Hk' F&.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=b2b45ba4-4af4-4e34-b588-edfc243e66c6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@ CommandTyp ]Ɋ& eGN' F& =G5' F& pTF& F&w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnkk''k''x8%U)Mu=VysMc&&** k'\>H ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !X\>Hk' F&F%g>9{p(xlMD EventDatauoData !BinaryRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2acc85ad-a7ca-4835-85b7-07a95b0420d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** l'\>H ]Ɋ&  !X\>Hl' F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2acc85ad-a7ca-4835-85b7-07a95b0420d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=& ** m'\>H ]Ɋ& e !\>Hm' F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2acc85ad-a7ca-4835-85b7-07a95b0420d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=0929488e-db1c-4043-b280-85516cb0d9e3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tN ** n',>H ]Ɋ& q !,>Hn' F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2acc85ad-a7ca-4835-85b7-07a95b0420d9 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=0929488e-db1c-4043-b280-85516cb0d9e3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rofi **o',>H ]Ɋ& 7!X,>Ho' F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f86cc094-cca3-4f02-aff6-3be1051d2234 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**p',>H ]Ɋ& O!X,>Hp' F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f86cc094-cca3-4f02-aff6-3be1051d2234 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=O**q',>H ]Ɋ& K!X,>Hq' F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f86cc094-cca3-4f02-aff6-3be1051d2234 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} |**r',>H ]Ɋ& C!X,>Hr' F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f86cc094-cca3-4f02-aff6-3be1051d2234 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -**s',>H ]Ɋ& C!X,>Hs' F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f86cc094-cca3-4f02-aff6-3be1051d2234 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Dri**t',>H ]Ɋ& E!X,>Ht' F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f86cc094-cca3-4f02-aff6-3be1051d2234 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -**@u',>H ]Ɋ& !,>Hu' F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f86cc094-cca3-4f02-aff6-3be1051d2234 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=777321f9-0881-4a4d-82d7-88d3deb0fccf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= F@**Pv',>H ]Ɋ& !,>Hv' F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f86cc094-cca3-4f02-aff6-3be1051d2234 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=777321f9-0881-4a4d-82d7-88d3deb0fccf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pe -P**Hw'TH ]Ɋ& !XTHw' F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2a20bafd-7a96-4e2b-bae1-64fa3b6b65db HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tH**`x'TH ]Ɋ& !XTHx' F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2a20bafd-7a96-4e2b-bae1-64fa3b6b65db HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`y'TH ]Ɋ& !XTHy' F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2a20bafd-7a96-4e2b-bae1-64fa3b6b65db HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_.I`**Xz'TH ]Ɋ& !XTHz' F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2a20bafd-7a96-4e2b-bae1-64fa3b6b65db HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**X{'TH ]Ɋ& !XTH{' F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2a20bafd-7a96-4e2b-bae1-64fa3b6b65db HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GetX**X|'TH ]Ɋ& !XTH|' F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2a20bafd-7a96-4e2b-bae1-64fa3b6b65db HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-X**}'TH ]Ɋ& !TH}' F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2a20bafd-7a96-4e2b-bae1-64fa3b6b65db HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=6cf4513a-7bad-4bfc-b1a0-8e75a2139aa1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pt**~'DH ]Ɋ&  !DH~' F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2a20bafd-7a96-4e2b-bae1-64fa3b6b65db HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=6cf4513a-7bad-4bfc-b1a0-8e75a2139aa1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Rou**X'H ]Ɋ&  !XH' F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=7f119a23-bc40-40ee-a935-cebe9b03bd6b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=MeX**p'H ]Ɋ&  !XH' F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=7f119a23-bc40-40ee-a935-cebe9b03bd6b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Cp**p'H ]Ɋ&  !XH' F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=7f119a23-bc40-40ee-a935-cebe9b03bd6b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rActp**h'H ]Ɋ&  !XH' F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=7f119a23-bc40-40ee-a935-cebe9b03bd6b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ h**h'H ]Ɋ&  !XH' F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=7f119a23-bc40-40ee-a935-cebe9b03bd6b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ilenh**h'H ]Ɋ&  !XH' F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=7f119a23-bc40-40ee-a935-cebe9b03bd6b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ig.h**'H ]Ɋ&  !H' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=7f119a23-bc40-40ee-a935-cebe9b03bd6b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=8d22ae3e-692b-4333-9119-b4ecabcb44c3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**'H ]Ɋ& !H' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=7f119a23-bc40-40ee-a935-cebe9b03bd6b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=8d22ae3e-692b-4333-9119-b4ecabcb44c3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $dnsServers  ]Ɋ&  #X|H' F&Info = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-No nteractive - ]Ɋ& -NX\>Hk' F&.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=b2b45ba4-4af4-4e34-b588-edfc243e66c6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@ CommandTyp ]Ɋ& eGN' F& =G5' F& pTF& F&w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk'''' Mu=VysMc&&**`'|H ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! =!X|H' F&F%g>9{p(xlMD EventDatauoData !Binary AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2f334ae1-fbb1-440f-98de-65d6b4a93918 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ter`**p'|H ]Ɋ&  !X|H' F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2f334ae1-fbb1-440f-98de-65d6b4a93918 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d9p**p'|H ]Ɋ&  !X|H' F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2f334ae1-fbb1-440f-98de-65d6b4a93918 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dresp**h'|H ]Ɋ&  !X|H' F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2f334ae1-fbb1-440f-98de-65d6b4a93918 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=]Ɋ&h**h'|H ]Ɋ&  !X|H' F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2f334ae1-fbb1-440f-98de-65d6b4a93918 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cutih**h'|H ]Ɋ&  !X|H' F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2f334ae1-fbb1-440f-98de-65d6b4a93918 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Outh**'|H ]Ɋ&  !|H' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2f334ae1-fbb1-440f-98de-65d6b4a93918 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=37ea43ab-2b6f-4961-9587-4b8396495336 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**'|H ]Ɋ& !|H' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2f334ae1-fbb1-440f-98de-65d6b4a93918 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=37ea43ab-2b6f-4961-9587-4b8396495336 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e** '7H ]Ɋ& w !X7H' F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4a48d4c0-ae34-448a-86e0-3e2eae2d28be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h **8'7H ]Ɋ&  !X7H' F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4a48d4c0-ae34-448a-86e0-3e2eae2d28be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=T8**8'7H ]Ɋ&  !X7H' F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4a48d4c0-ae34-448a-86e0-3e2eae2d28be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rit8**0'7H ]Ɋ&  !X7H' F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4a48d4c0-ae34-448a-86e0-3e2eae2d28be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tif0**0'7H ]Ɋ&  !X7H' F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4a48d4c0-ae34-448a-86e0-3e2eae2d28be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GNE0**0'7H ]Ɋ&  !X7H' F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4a48d4c0-ae34-448a-86e0-3e2eae2d28be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) 0**'7H ]Ɋ&  !7H' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4a48d4c0-ae34-448a-86e0-3e2eae2d28be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=fdb62a51-94b7-4fc1-a0f2-8af67e77e827 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= W**'H ]Ɋ&  !H' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=4a48d4c0-ae34-448a-86e0-3e2eae2d28be HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=fdb62a51-94b7-4fc1-a0f2-8af67e77e827 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sign**'H ]Ɋ&  !XH' F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=12061f96-655c-4a7c-a2b1-cc4365999470 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.LinayerAddress  ]Ɋ& rAXH' F&ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=b2b45ba4-4af4-4e34-b588-edfc243e66c6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@ CommandTyp ]Ɋ& eGN' F& =G5' F& pTF& F&w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk''''h NpMu=VysMc&&**'H ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XH' F&F%g>9{p(xlMD EventDatauoData !Binary EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=12061f96-655c-4a7c-a2b1-cc4365999470 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**'H ]Ɋ& !XH' F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=12061f96-655c-4a7c-a2b1-cc4365999470 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**'H ]Ɋ&  !XH' F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=12061f96-655c-4a7c-a2b1-cc4365999470 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ti**'H ]Ɋ&  !XH' F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=12061f96-655c-4a7c-a2b1-cc4365999470 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tr**'H ]Ɋ&  !XH' F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=12061f96-655c-4a7c-a2b1-cc4365999470 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **'H ]Ɋ& O!H' F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=12061f96-655c-4a7c-a2b1-cc4365999470 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=27d4ee12-9199-4733-b0ce-77d00cf5b098 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==**'@hH ]Ɋ& [!@hH' F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=12061f96-655c-4a7c-a2b1-cc4365999470 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=27d4ee12-9199-4733-b0ce-77d00cf5b098 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=939**8 'H ]Ɋ&  !XH' F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c9673177-d7bd-4825-a487-4605209b5175 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8 **P 'H ]Ɋ&  !XH' F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c9673177-d7bd-4825-a487-4605209b5175 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h=P **P 'H ]Ɋ&  !XH' F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c9673177-d7bd-4825-a487-4605209b5175 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($maP **H 'H ]Ɋ&  !XH' F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c9673177-d7bd-4825-a487-4605209b5175 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=CAddH **H 'H ]Ɋ&  !XH' F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c9673177-d7bd-4825-a487-4605209b5175 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=WmiOH **H 'H ]Ɋ&  !XH' F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c9673177-d7bd-4825-a487-4605209b5175 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_H **'H ]Ɋ& U!XH' F&2AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8e535b87-ea0f-4112-9e8e-da1c1026a970 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rS**'H ]Ɋ& m!XH' F&JEnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8e535b87-ea0f-4112-9e8e-da1c1026a970 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=io**'H ]Ɋ& i!XH' F&FFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8e535b87-ea0f-4112-9e8e-da1c1026a970 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Clas**'H ]Ɋ& a!XH' F&>FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8e535b87-ea0f-4112-9e8e-da1c1026a970 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ppli**'H ]Ɋ& a!XH' F&>RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8e535b87-ea0f-4112-9e8e-da1c1026a970 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-00-**'H ]Ɋ& c!XH' F&@VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8e535b87-ea0f-4112-9e8e-da1c1026a970 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ect** 'H ]Ɋ&  !H' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c9673177-d7bd-4825-a487-4605209b5175 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=b0e0df26-4c58-4380-a0d7-8bd5813a7db6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Win **`'H ]Ɋ& !H' F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8e535b87-ea0f-4112-9e8e-da1c1026a970 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=dd86110b-37eb-4654-9cea-312bf74e33a8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=wer`** 'H ]Ɋ&  !H' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c9673177-d7bd-4825-a487-4605209b5175 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=b0e0df26-4c58-4380-a0d7-8bd5813a7db6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i -Output "[]" ]Ɋ& 4-0cH' F& PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@ CommandTyp ]Ɋ& eGN' F& =G5' F& pTF& F&w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk''''0`lVuMu=VysMc&&**p '0cH ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! O!0cH' F&F%g>9{p(xlMD EventDatauoData !BinaryStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8e535b87-ea0f-4112-9e8e-da1c1026a970 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=dd86110b-37eb-4654-9cea-312bf74e33a8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edp ** '0cH ]Ɋ& w !X0cH' F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=28235c3c-4cff-408b-a1e1-326483704ef6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s **8'0cH ]Ɋ&  !X0cH' F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=28235c3c-4cff-408b-a1e1-326483704ef6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t8**8'0cH ]Ɋ&  !X0cH' F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=28235c3c-4cff-408b-a1e1-326483704ef6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t (8**0'0cH ]Ɋ&  !X0cH' F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=28235c3c-4cff-408b-a1e1-326483704ef6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=hed0**0'0cH ]Ɋ&  !X0cH' F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=28235c3c-4cff-408b-a1e1-326483704ef6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e =0**0'0cH ]Ɋ&  !X0cH' F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=28235c3c-4cff-408b-a1e1-326483704ef6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**'0cH ]Ɋ&  !0cH' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=28235c3c-4cff-408b-a1e1-326483704ef6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ce1b0db3-3d66-406d-a058-35e2d3412491 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=si**'H ]Ɋ&  !H' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=28235c3c-4cff-408b-a1e1-326483704ef6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ce1b0db3-3d66-406d-a058-35e2d3412491 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= = 0**'H ]Ɋ& K!XH' F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d4d7b09f-ff1e-49ce-89c3-06236f40834f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=roc**'H ]Ɋ& c!XH' F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d4d7b09f-ff1e-49ce-89c3-06236f40834f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ver**'H ]Ɋ& _!XH' F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d4d7b09f-ff1e-49ce-89c3-06236f40834f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**'H ]Ɋ& W!XH' F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d4d7b09f-ff1e-49ce-89c3-06236f40834f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**'H ]Ɋ& W!XH' F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d4d7b09f-ff1e-49ce-89c3-06236f40834f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$**'H ]Ɋ& Y!XH' F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d4d7b09f-ff1e-49ce-89c3-06236f40834f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=spac**X'H ]Ɋ& !H' F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d4d7b09f-ff1e-49ce-89c3-06236f40834f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=1e0c555c-c87c-4922-87bc-3b0760580360 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oc.SX**`'H ]Ɋ& !H' F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d4d7b09f-ff1e-49ce-89c3-06236f40834f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=1e0c555c-c87c-4922-87bc-3b0760580360 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `** 'H ]Ɋ& w !XH' F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e342b19c-dbca-42c4-ba71-9fa2a629bad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8'H ]Ɋ&  !XH' F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e342b19c-dbca-42c4-ba71-9fa2a629bad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-8**8'H ]Ɋ&  !XH' F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e342b19c-dbca-42c4-ba71-9fa2a629bad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ve 8**0'H ]Ɋ&  !XH' F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e342b19c-dbca-42c4-ba71-9fa2a629bad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cti0**0'H ]Ɋ&  !XH' F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e342b19c-dbca-42c4-ba71-9fa2a629bad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ssI0= $ppid" -Er ]Ɋ& lsXH' F&t.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=b0e0df26-4c58-4380-a0d7-8bd5813a7db6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i -Output "[]" ]Ɋ& 4-0cH' F& PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@ CommandTyp ]Ɋ& eGN' F& =G5' F& pTF& F&w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk''''E"x-MMu=VysMc&&**8'H ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XH' F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e342b19c-dbca-42c4-ba71-9fa2a629bad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= fa8**'H ]Ɋ&  !H' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e342b19c-dbca-42c4-ba71-9fa2a629bad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a697f9d3-6ec6-4842-9077-ecaddf417cb7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ **']H ]Ɋ&  !]H' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=e342b19c-dbca-42c4-ba71-9fa2a629bad6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=a697f9d3-6ec6-4842-9077-ecaddf417cb7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Acti** ']H ]Ɋ&  !X]H' F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d5c59dfd-8d88-45ef-a869-b24dd29685df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=E ** ']H ]Ɋ&  !X]H' F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d5c59dfd-8d88-45ef-a869-b24dd29685df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 ** ']H ]Ɋ&  !X]H' F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d5c59dfd-8d88-45ef-a869-b24dd29685df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct ** ']H ]Ɋ&  !X]H' F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d5c59dfd-8d88-45ef-a869-b24dd29685df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r - ** ']H ]Ɋ&  !X]H' F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d5c59dfd-8d88-45ef-a869-b24dd29685df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=13 ** ']H ]Ɋ&  !X]H' F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d5c59dfd-8d88-45ef-a869-b24dd29685df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=g ** ']H ]Ɋ& e !]H' F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d5c59dfd-8d88-45ef-a869-b24dd29685df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=69be709a-6a1f-4014-99de-0d5fd58a039b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f  **X']H ]Ɋ&  !X]H' F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6596b7c5-e952-45ac-b65e-d052d9115aec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**p']H ]Ɋ&  !X]H' F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6596b7c5-e952-45ac-b65e-d052d9115aec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mip**p']H ]Ɋ&  !X]H' F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6596b7c5-e952-45ac-b65e-d052d9115aec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ineIp**h']H ]Ɋ&  !X]H' F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6596b7c5-e952-45ac-b65e-d052d9115aec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ias h**h']H ]Ɋ&  !X]H' F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6596b7c5-e952-45ac-b65e-d052d9115aec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tarth**h']H ]Ɋ&  !X]H' F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6596b7c5-e952-45ac-b65e-d052d9115aec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**']H ]Ɋ&  !]H' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6596b7c5-e952-45ac-b65e-d052d9115aec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=27cf2911-fbe5-4391-8bba-ba708ad82582 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2c4**']H ]Ɋ& !]H' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6596b7c5-e952-45ac-b65e-d052d9115aec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=27cf2911-fbe5-4391-8bba-ba708ad82582 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r**X']H ]Ɋ&  !X]H' F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=88e5cb54-bc60-46ce-8ea3-be2ec7a2d5b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=paXnt.CreationD ]Ɋ& onX]H' F&{ if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=b0e0df26-4c58-4380-a0d7-8bd5813a7db6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i -Output "[]" ]Ɋ& 4-0cH' F& PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@ CommandTyp ]Ɋ& eGN' F& =G5' F& pTF& F&w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk''''(ps>v‰Mu=VysMc&&**x']H ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! U!X]H' F&F%g>9{p(xlMD EventDatauoData !Binary EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=88e5cb54-bc60-46ce-8ea3-be2ec7a2d5b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x**p']H ]Ɋ&  !X]H' F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=88e5cb54-bc60-46ce-8ea3-be2ec7a2d5b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h']H ]Ɋ&  !X]H' F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=88e5cb54-bc60-46ce-8ea3-be2ec7a2d5b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**h**h']H ]Ɋ&  !X]H' F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=88e5cb54-bc60-46ce-8ea3-be2ec7a2d5b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=aceIh**h']H ]Ɋ&  !X]H' F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=88e5cb54-bc60-46ce-8ea3-be2ec7a2d5b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ypeh**']H ]Ɋ&  !]H' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=88e5cb54-bc60-46ce-8ea3-be2ec7a2d5b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ef115cc4-a130-4d5c-a814-0a6629a6c71d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x $**',H ]Ɋ& !,H' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=88e5cb54-bc60-46ce-8ea3-be2ec7a2d5b0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ef115cc4-a130-4d5c-a814-0a6629a6c71d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a** ',H ]Ɋ& q !,H' F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d5c59dfd-8d88-45ef-a869-b24dd29685df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=69be709a-6a1f-4014-99de-0d5fd58a039b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Co **',H ]Ɋ& 7!X,H' F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=409e3a49-bca6-453a-976c-1e2118db8f9a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=W**',H ]Ɋ& O!X,H' F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=409e3a49-bca6-453a-976c-1e2118db8f9a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=}**',H ]Ɋ& K!X,H' F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=409e3a49-bca6-453a-976c-1e2118db8f9a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$en**',H ]Ɋ& C!X,H' F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=409e3a49-bca6-453a-976c-1e2118db8f9a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @(**',H ]Ɋ& C!X,H' F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=409e3a49-bca6-453a-976c-1e2118db8f9a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Fi**',H ]Ɋ& E!X,H' F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=409e3a49-bca6-453a-976c-1e2118db8f9a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er**@',H ]Ɋ& !,H' F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=409e3a49-bca6-453a-976c-1e2118db8f9a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=e6bbde4d-78fd-4d25-98d5-fb23455e5be4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @**P',H ]Ɋ& !,H' F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=409e3a49-bca6-453a-976c-1e2118db8f9a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=e6bbde4d-78fd-4d25-98d5-fb23455e5be4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=STATP**H'}I ]Ɋ& !X}I' F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=088ef7ec-a5ae-478a-95ed-039e283249ca HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`'}I ]Ɋ& !X}I' F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=088ef7ec-a5ae-478a-95ed-039e283249ca HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e`**`'}I ]Ɋ& !X}I' F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=088ef7ec-a5ae-478a-95ed-039e283249ca HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PAT`**X'}I ]Ɋ& !X}I' F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=088ef7ec-a5ae-478a-95ed-039e283249ca HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= # X**X'}I ]Ɋ& !X}I' F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=088ef7ec-a5ae-478a-95ed-039e283249ca HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= toX**X'}I ]Ɋ& !X}I' F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=088ef7ec-a5ae-478a-95ed-039e283249ca HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=2dX**'}I ]Ɋ& !}I' F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=088ef7ec-a5ae-478a-95ed-039e283249ca HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=b5662f03-1e94-45fd-813f-4b6eacfb3f45 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fi**'I ]Ɋ&  !I' F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=088ef7ec-a5ae-478a-95ed-039e283249ca HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=b5662f03-1e94-45fd-813f-4b6eacfb3f45 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_.**'3I ]Ɋ& K!X3I' F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=aa03337b-4a61-44f8-8a13-bf0a6af7078f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=efe**'3I ]Ɋ& c!X3I' F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=aa03337b-4a61-44f8-8a13-bf0a6af7078f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=st **'3I ]Ɋ& _!X3I' F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=aa03337b-4a61-44f8-8a13-bf0a6af7078f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**'3I ]Ɋ& W!X3I' F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=aa03337b-4a61-44f8-8a13-bf0a6af7078f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **'3I ]Ɋ& W!X3I' F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=aa03337b-4a61-44f8-8a13-bf0a6af7078f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **'3I ]Ɋ& Y!X3I' F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=aa03337b-4a61-44f8-8a13-bf0a6af7078f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= th**X'3I ]Ɋ& !3I' F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=aa03337b-4a61-44f8-8a13-bf0a6af7078f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=63ddb4a9-dc2c-4ad4-86e4-13c9a3ba816a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9CerX**`'3I ]Ɋ& !3I' F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=aa03337b-4a61-44f8-8a13-bf0a6af7078f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=63ddb4a9-dc2c-4ad4-86e4-13c9a3ba816a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rr`Action Stop  ]Ɋ& OuX3I' F&n=4.0 RunspaceId=b0e0df26-4c58-4380-a0d7-8bd5813a7db6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i -Output "[]" ]Ɋ& 4-0cH' F& PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@ CommandTyp ]Ɋ& eGN' F& =G5' F& pTF& F&w˰D& F&&dLine=Co andPath= CommandLine== Xo=F<ElfChnk'('(``Lʋ Mu=VysMc&&**('3I ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X3I' F&F%g>9{p(xlMD EventDatauoData !BinaryT AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3b3bc223-3e37-469c-a4aa-82d7b7937e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Na(**8'3I ]Ɋ&  !X3I' F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3b3bc223-3e37-469c-a4aa-82d7b7937e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**8'3I ]Ɋ&  !X3I' F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3b3bc223-3e37-469c-a4aa-82d7b7937e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= P8**0'3I ]Ɋ&  !X3I' F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3b3bc223-3e37-469c-a4aa-82d7b7937e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ngi0**0'3I ]Ɋ&  !X3I' F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3b3bc223-3e37-469c-a4aa-82d7b7937e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n.M0**0'3I ]Ɋ&  !X3I' F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3b3bc223-3e37-469c-a4aa-82d7b7937e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-O0**'3I ]Ɋ&  !3I' F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3b3bc223-3e37-469c-a4aa-82d7b7937e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d1a5197a-acaa-4346-a8df-703756deb0fc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in**'%̢I ]Ɋ&  !%̢I' F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=3b3bc223-3e37-469c-a4aa-82d7b7937e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=d1a5197a-acaa-4346-a8df-703756deb0fc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nInt** '%̢I ]Ɋ&  !X%̢I' F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ba01d230-7547-4675-b272-6c366e41f49a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** (%̢I ]Ɋ&  !X%̢I( F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ba01d230-7547-4675-b272-6c366e41f49a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l ** (%̢I ]Ɋ&  !X%̢I( F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ba01d230-7547-4675-b272-6c366e41f49a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c-1 ** (%̢I ]Ɋ&  !X%̢I( F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ba01d230-7547-4675-b272-6c366e41f49a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== ** (%̢I ]Ɋ&  !X%̢I( F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ba01d230-7547-4675-b272-6c366e41f49a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Fi ** (%̢I ]Ɋ&  !X%̢I( F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ba01d230-7547-4675-b272-6c366e41f49a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=an ** (%̢I ]Ɋ& e !%̢I( F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ba01d230-7547-4675-b272-6c366e41f49a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c56622ad-2997-4741-885d-735ac0b7aa36 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=vi ** (dI ]Ɋ& q !dI( F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ba01d230-7547-4675-b272-6c366e41f49a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=c56622ad-2997-4741-885d-735ac0b7aa36 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tApp **(dI ]Ɋ& 7!XdI( F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f0174a05-7fa4-4811-afd1-7a02244ac0ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **(dI ]Ɋ& O!XdI( F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f0174a05-7fa4-4811-afd1-7a02244ac0ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a** (dI ]Ɋ& K!XdI ( F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f0174a05-7fa4-4811-afd1-7a02244ac0ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t {** (dI ]Ɋ& C!XdI ( F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f0174a05-7fa4-4811-afd1-7a02244ac0ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=re-** (dI ]Ɋ& C!XdI ( F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f0174a05-7fa4-4811-afd1-7a02244ac0ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sk ** (dI ]Ɋ& E!XdI ( F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f0174a05-7fa4-4811-afd1-7a02244ac0ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=og**@ (dI ]Ɋ& !dI ( F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f0174a05-7fa4-4811-afd1-7a02244ac0ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=aa14c065-cf4c-4107-84fb-2c842b8ba08e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @**P(dI ]Ɋ& !dI( F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f0174a05-7fa4-4811-afd1-7a02244ac0ec HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=aa14c065-cf4c-4107-84fb-2c842b8ba08e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ere-P**H(0J ]Ɋ& !X0J( F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8c28ae42-edcd-4948-afb6-74f23f2c506b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iH**`(0J ]Ɋ& !X0J( F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8c28ae42-edcd-4948-afb6-74f23f2c506b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`ndLine== Xo=F<ElfChnk(,((,(HH|;Mu=VysMc&&**`(0J ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! C!X0J( F&F%g>9{p(xlMD EventDatauoData !BinaryFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8c28ae42-edcd-4948-afb6-74f23f2c506b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=`**X(0J ]Ɋ& !X0J( F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8c28ae42-edcd-4948-afb6-74f23f2c506b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=igX**X(0J ]Ɋ& !X0J( F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8c28ae42-edcd-4948-afb6-74f23f2c506b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= (X**X(0J ]Ɋ& !X0J( F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8c28ae42-edcd-4948-afb6-74f23f2c506b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$nX**(0J ]Ɋ& !0J( F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8c28ae42-edcd-4948-afb6-74f23f2c506b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=44c4512f-7ced-46e6-b143-b8dfecbfb4ee PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **(:J ]Ɋ&  !:J( F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8c28ae42-edcd-4948-afb6-74f23f2c506b HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=44c4512f-7ced-46e6-b143-b8dfecbfb4ee PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$cfg**(UJ ]Ɋ& K!XUJ( F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e8dae5ae-2868-471a-b10f-6b1e30932ba0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ect**(UJ ]Ɋ& c!XUJ( F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e8dae5ae-2868-471a-b10f-6b1e30932ba0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=IPE**(UJ ]Ɋ& _!XUJ( F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e8dae5ae-2868-471a-b10f-6b1e30932ba0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**(UJ ]Ɋ& W!XUJ( F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e8dae5ae-2868-471a-b10f-6b1e30932ba0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **(UJ ]Ɋ& W!XUJ( F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e8dae5ae-2868-471a-b10f-6b1e30932ba0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**(UJ ]Ɋ& Y!XUJ( F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e8dae5ae-2868-471a-b10f-6b1e30932ba0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.Int**X(UJ ]Ɋ& !UJ( F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e8dae5ae-2868-471a-b10f-6b1e30932ba0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=cfbd1398-a00d-4be9-bdde-91546eada89a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t 1 X**`(UJ ]Ɋ& !UJ( F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e8dae5ae-2868-471a-b10f-6b1e30932ba0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=cfbd1398-a00d-4be9-bdde-91546eada89a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if`** (UJ ]Ɋ& w !XUJ( F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=34ae48df-e111-4863-97f9-b7f777d9fe9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **8 (UJ ]Ɋ&  !XUJ ( F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=34ae48df-e111-4863-97f9-b7f777d9fe9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=/8**8!(UJ ]Ɋ&  !XUJ!( F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=34ae48df-e111-4863-97f9-b7f777d9fe9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in 8**0"(UJ ]Ɋ&  !XUJ"( F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=34ae48df-e111-4863-97f9-b7f777d9fe9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Ou0**0#(UJ ]Ɋ&  !XUJ#( F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=34ae48df-e111-4863-97f9-b7f777d9fe9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= = 0**0$(UJ ]Ɋ&  !XUJ$( F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=34ae48df-e111-4863-97f9-b7f777d9fe9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ai0**%(UJ ]Ɋ&  !UJ%( F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=34ae48df-e111-4863-97f9-b7f777d9fe9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=4ba2cb15-a677-43d9-a349-4e7deca677cf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le**&(UJ ]Ɋ&  !UJ&( F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=34ae48df-e111-4863-97f9-b7f777d9fe9c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=4ba2cb15-a677-43d9-a349-4e7deca677cf PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= DNS** '(UJ ]Ɋ&  !XUJ'( F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1542a528-7e95-49c4-988d-2fd456f64ac4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ӱ ** ((UJ ]Ɋ&  !XUJ(( F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1542a528-7e95-49c4-988d-2fd456f64ac4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c ** )(UJ ]Ɋ&  !XUJ)( F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1542a528-7e95-49c4-988d-2fd456f64ac4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ll. ** *(UJ ]Ɋ&  !XUJ*( F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1542a528-7e95-49c4-988d-2fd456f64ac4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** +(UJ ]Ɋ&  !XUJ+( F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1542a528-7e95-49c4-988d-2fd456f64ac4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine='} ** ,(UJ ]Ɋ&  !XUJ,( F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1542a528-7e95-49c4-988d-2fd456f64ac4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ow yle Hidden - ]Ɋ& psUJ-( F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`ndLine== Xo=F<ElfChnk-(K(-(K(L& Mu=VysMc&&**-(UJ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !UJ-( F&F%g>9{p(xlMD EventDatauoData !BinaryB AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1542a528-7e95-49c4-988d-2fd456f64ac4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=8c79053f-8ef1-4652-a04a-2a38678fdb7f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=enc** .(5VJ ]Ɋ& q !5VJ.( F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1542a528-7e95-49c4-988d-2fd456f64ac4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=8c79053f-8ef1-4652-a04a-2a38678fdb7f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pass **/(5VJ ]Ɋ& 7!X5VJ/( F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=69cd706e-dedb-46a6-960c-e2373735e7f5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l**0(5VJ ]Ɋ& O!X5VJ0( F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=69cd706e-dedb-46a6-960c-e2373735e7f5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**1(5VJ ]Ɋ& K!X5VJ1( F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=69cd706e-dedb-46a6-960c-e2373735e7f5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=spa**2(5VJ ]Ɋ& C!X5VJ2( F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=69cd706e-dedb-46a6-960c-e2373735e7f5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ver**3(5VJ ]Ɋ& C!X5VJ3( F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=69cd706e-dedb-46a6-960c-e2373735e7f5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= E**4(5VJ ]Ɋ& E!X5VJ4( F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=69cd706e-dedb-46a6-960c-e2373735e7f5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pr**@5(5VJ ]Ɋ& !5VJ5( F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=69cd706e-dedb-46a6-960c-e2373735e7f5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=2108af9d-7ae7-4467-a438-909ed5c09d2d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ac@**P6(5VJ ]Ɋ& !5VJ6( F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=69cd706e-dedb-46a6-960c-e2373735e7f5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=2108af9d-7ae7-4467-a438-909ed5c09d2d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9154P**H7(nxJ ]Ɋ& !XnxJ7( F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=3b3af4bf-8623-4d6e-a31a-ccff3590829d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=yH**`8(nxJ ]Ɋ& !XnxJ8( F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=3b3af4bf-8623-4d6e-a31a-ccff3590829d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t`**`9(nxJ ]Ɋ& !XnxJ9( F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=3b3af4bf-8623-4d6e-a31a-ccff3590829d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er `**X:(nxJ ]Ɋ& !XnxJ:( F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=3b3af4bf-8623-4d6e-a31a-ccff3590829d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n |X**X;(nxJ ]Ɋ& !XnxJ;( F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=3b3af4bf-8623-4d6e-a31a-ccff3590829d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**X<(nxJ ]Ɋ& !XnxJ<( F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=3b3af4bf-8623-4d6e-a31a-ccff3590829d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -X**=(nxJ ]Ɋ& !nxJ=( F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=3b3af4bf-8623-4d6e-a31a-ccff3590829d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=2dbb34a4-2fe4-43e7-9d08-ccebeb945da6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ta**>(J ]Ɋ&  !J>( F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=3b3af4bf-8623-4d6e-a31a-ccff3590829d HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=2dbb34a4-2fe4-43e7-9d08-ccebeb945da6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omma**X?(J ]Ɋ&  !XJ?( F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=12cea4b3-7cd2-45c5-b9e4-f12baf441ecb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=*X**p@(J ]Ɋ&  !XJ@( F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=12cea4b3-7cd2-45c5-b9e4-f12baf441ecb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**pA(J ]Ɋ&  !XJA( F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=12cea4b3-7cd2-45c5-b9e4-f12baf441ecb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Xp**hB(J ]Ɋ&  !XJB( F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=12cea4b3-7cd2-45c5-b9e4-f12baf441ecb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**hC(J ]Ɋ&  !XJC( F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=12cea4b3-7cd2-45c5-b9e4-f12baf441ecb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**hD(J ]Ɋ&  !XJD( F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=12cea4b3-7cd2-45c5-b9e4-f12baf441ecb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= !h**E(J ]Ɋ&  !JE( F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=12cea4b3-7cd2-45c5-b9e4-f12baf441ecb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=48bb2168-4e3e-48f6-b7ec-5a4612dce15f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ver**F(J ]Ɋ& !JF( F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=12cea4b3-7cd2-45c5-b9e4-f12baf441ecb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=48bb2168-4e3e-48f6-b7ec-5a4612dce15f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**G(JJ ]Ɋ& U!XJJG( F&2AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8f7fb8d6-c73f-4e5c-ba8b-e3df1ff2fb5c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=# **H(JJ ]Ɋ& m!XJJH( F&JEnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8f7fb8d6-c73f-4e5c-ba8b-e3df1ff2fb5c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tr**I(JJ ]Ɋ& i!XJJI( F&FFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8f7fb8d6-c73f-4e5c-ba8b-e3df1ff2fb5c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i**J(JJ ]Ɋ& a!XJJJ( F&>FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8f7fb8d6-c73f-4e5c-ba8b-e3df1ff2fb5c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=11 **K(JJ ]Ɋ& a!XJJK( F&>RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8f7fb8d6-c73f-4e5c-ba8b-e3df1ff2fb5c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== $cputerInfo.Cs ]Ɋ& = XJJL( F&et-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ow yle Hidden - ]Ɋ& psUJ-( F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`ndLine== Xo=F<ElfChnkL(^(L(^(`-fMu=VysMc&&** L(JJ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XJJL( F&F%g>9{p(xlMD EventDatauoData !Binary@VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8f7fb8d6-c73f-4e5c-ba8b-e3df1ff2fb5c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **`M(JJ ]Ɋ& !JJM( F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8f7fb8d6-c73f-4e5c-ba8b-e3df1ff2fb5c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=3112ffab-adb6-4594-9f75-b49156321509 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=`**hN(yJ ]Ɋ& !yJN( F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8f7fb8d6-c73f-4e5c-ba8b-e3df1ff2fb5c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=3112ffab-adb6-4594-9f75-b49156321509 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**XO(K ]Ɋ&  !XKO( F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1bcd6da2-e7ad-4131-bbdc-5c9ed85867d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=esX**pP(K ]Ɋ&  !XKP( F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1bcd6da2-e7ad-4131-bbdc-5c9ed85867d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**pQ(K ]Ɋ&  !XKQ( F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1bcd6da2-e7ad-4131-bbdc-5c9ed85867d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=jectp**hR(K ]Ɋ&  !XKR( F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1bcd6da2-e7ad-4131-bbdc-5c9ed85867d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Enh**hS(K ]Ɋ&  !XKS( F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1bcd6da2-e7ad-4131-bbdc-5c9ed85867d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ff35h**hT(K ]Ɋ&  !XKT( F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1bcd6da2-e7ad-4131-bbdc-5c9ed85867d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=am h**U(K ]Ɋ&  !KU( F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1bcd6da2-e7ad-4131-bbdc-5c9ed85867d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6e3563fe-5c25-4c67-9c3a-77f4869574d8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ept**V(K ]Ɋ& !KV( F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1bcd6da2-e7ad-4131-bbdc-5c9ed85867d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6e3563fe-5c25-4c67-9c3a-77f4869574d8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s** W(K ]Ɋ& w !XKW( F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=52fc9b8e-e816-49f2-9dfb-5acd0f63ffbb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o **8X(K ]Ɋ&  !XKX( F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=52fc9b8e-e816-49f2-9dfb-5acd0f63ffbb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t8**8Y(K ]Ɋ&  !XKY( F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=52fc9b8e-e816-49f2-9dfb-5acd0f63ffbb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }8**0Z(K ]Ɋ&  !XKZ( F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=52fc9b8e-e816-49f2-9dfb-5acd0f63ffbb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= "E0**0[(K ]Ɋ&  !XK[( F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=52fc9b8e-e816-49f2-9dfb-5acd0f63ffbb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0\(K ]Ɋ&  !XK\( F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=52fc9b8e-e816-49f2-9dfb-5acd0f63ffbb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ch0**](K ]Ɋ&  !K]( F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=52fc9b8e-e816-49f2-9dfb-5acd0f63ffbb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=1c299152-1aa7-4272-803c-c8d383b2c78b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ho**^(-K ]Ɋ&  !-K^( F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=52fc9b8e-e816-49f2-9dfb-5acd0f63ffbb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=1c299152-1aa7-4272-803c-c8d383b2c78b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=main if ($domain ]Ɋ&  X-K_( F&n -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ow yle Hidden - ]Ɋ& psUJ-( F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`ndLine== Xo=F<ElfChnk_(t(_(t(pFMu=VysMc&&**_(-K ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X-K_( F&F%g>9{p(xlMD EventDatauoData !Binary AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9a9a63bb-6c6e-4b5b-9add-74aed76370b6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**`(-K ]Ɋ&  !X-K`( F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9a9a63bb-6c6e-4b5b-9add-74aed76370b6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ion=**a(-K ]Ɋ& !X-Ka( F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9a9a63bb-6c6e-4b5b-9add-74aed76370b6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C**b(-K ]Ɋ&  !X-Kb( F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9a9a63bb-6c6e-4b5b-9add-74aed76370b6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= S**c(-K ]Ɋ&  !X-Kc( F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9a9a63bb-6c6e-4b5b-9add-74aed76370b6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mm**d(-K ]Ɋ&  !X-Kd( F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9a9a63bb-6c6e-4b5b-9add-74aed76370b6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**e(-K ]Ɋ& O!-Ke( F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9a9a63bb-6c6e-4b5b-9add-74aed76370b6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=3392b8d5-b40a-4f29-a663-a9966e28c595 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**f(@K ]Ɋ& [!@Kf( F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9a9a63bb-6c6e-4b5b-9add-74aed76370b6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=3392b8d5-b40a-4f29-a663-a9966e28c595 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eSt**g(qK ]Ɋ& U!XqKg( F&2AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=64189d3a-d03a-46aa-abae-10d390e2403e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NE**h(qK ]Ɋ& m!XqKh( F&JEnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=64189d3a-d03a-46aa-abae-10d390e2403e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ek**i(qK ]Ɋ& i!XqKi( F&FFileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=64189d3a-d03a-46aa-abae-10d390e2403e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **j(qK ]Ɋ& a!XqKj( F&>FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=64189d3a-d03a-46aa-abae-10d390e2403e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ect **k(qK ]Ɋ& a!XqKk( F&>RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=64189d3a-d03a-46aa-abae-10d390e2403e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gura**l(qK ]Ɋ& c!XqKl( F&@VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=64189d3a-d03a-46aa-abae-10d390e2403e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Pro**8 m(qK ]Ɋ&  !XqKm( F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=eaaede9a-207e-4177-beb6-7317120a88d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8 **P n(qK ]Ɋ&  !XqKn( F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=eaaede9a-207e-4177-beb6-7317120a88d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P **P o(qK ]Ɋ&  !XqKo( F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=eaaede9a-207e-4177-beb6-7317120a88d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me= P **H p(qK ]Ɋ&  !XqKp( F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=eaaede9a-207e-4177-beb6-7317120a88d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ore H **H q(qK ]Ɋ&  !XqKq( F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=eaaede9a-207e-4177-beb6-7317120a88d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ay -H **H r(qK ]Ɋ&  !XqKr( F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=eaaede9a-207e-4177-beb6-7317120a88d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $H **`s(qK ]Ɋ& !qKs( F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=64189d3a-d03a-46aa-abae-10d390e2403e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=3497c2d4-155c-45db-9eb1-22b350b8315c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9f2`** t(qK ]Ɋ&  !qKt( F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=eaaede9a-207e-4177-beb6-7317120a88d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=3531e679-4a51-49c1-87e2-134066b13c3d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NSS vers"":[],"" ]Ɋ& ceqKu( F&me= CommandType= ScriptName= CommandPath= CommandLine=ow yle Hidden - ]Ɋ& psUJ-( F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`ndLine== Xo=F<ElfChnku((u((Ctl|Mu=VysMc&&**u(qK ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !qKu( F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=eaaede9a-207e-4177-beb6-7317120a88d5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=3531e679-4a51-49c1-87e2-134066b13c3d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **hv(qK ]Ɋ& !qKv( F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=64189d3a-d03a-46aa-abae-10d390e2403e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-CimInstance Win32_Service -ErrorAction SilentlyContinue | Where-Object { $_.ProcessId -gt 0 } | ForEach-Object { "$($_.ProcessId)|$($_.Name)" } EngineVersion=4.0 RunspaceId=3497c2d4-155c-45db-9eb1-22b350b8315c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th** w(qK ]Ɋ& w !XqKw( F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8ffcf735-64fb-4c26-8432-d8d4d733eed3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c **8x(qK ]Ɋ&  !XqKx( F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8ffcf735-64fb-4c26-8432-d8d4d733eed3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8y(qK ]Ɋ&  !XqKy( F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8ffcf735-64fb-4c26-8432-d8d4d733eed3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ask8**0z(qK ]Ɋ&  !XqKz( F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8ffcf735-64fb-4c26-8432-d8d4d733eed3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rof0**0{(qK ]Ɋ&  !XqK{( F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8ffcf735-64fb-4c26-8432-d8d4d733eed3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-4b0**0|(qK ]Ɋ&  !XqK|( F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8ffcf735-64fb-4c26-8432-d8d4d733eed3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ne0**}(qK ]Ɋ&  !qK}( F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8ffcf735-64fb-4c26-8432-d8d4d733eed3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=27765a99-d651-454a-a08c-e234b907d3d7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FӀ**~( K ]Ɋ&  ! K~( F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=8ffcf735-64fb-4c26-8432-d8d4d733eed3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=27765a99-d651-454a-a08c-e234b907d3d7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=j(**( K ]Ɋ& K!X K( F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6e382984-f343-45aa-a78b-df803c8041df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=der**( K ]Ɋ& c!X K( F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6e382984-f343-45aa-a78b-df803c8041df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=03a**( K ]Ɋ& _!X K( F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6e382984-f343-45aa-a78b-df803c8041df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**( K ]Ɋ& W!X K( F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6e382984-f343-45aa-a78b-df803c8041df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m**( K ]Ɋ& W!X K( F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6e382984-f343-45aa-a78b-df803c8041df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H**( K ]Ɋ& Y!X K( F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6e382984-f343-45aa-a78b-df803c8041df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -li**X( K ]Ɋ& ! K( F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6e382984-f343-45aa-a78b-df803c8041df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=fbb6724c-7529-44b8-a00e-1617220d3dcb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=FiX**`( K ]Ɋ& ! K( F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6e382984-f343-45aa-a78b-df803c8041df HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=fbb6724c-7529-44b8-a00e-1617220d3dcb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le`** ( K ]Ɋ& w !X K( F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ba45a216-d27b-4df7-b935-758c9cdf4ad8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r **8( K ]Ɋ&  !X K( F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ba45a216-d27b-4df7-b935-758c9cdf4ad8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8( K ]Ɋ&  !X K( F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ba45a216-d27b-4df7-b935-758c9cdf4ad8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pro8**0( K ]Ɋ&  !X K( F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ba45a216-d27b-4df7-b935-758c9cdf4ad8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) {0ontinue }  ]Ɋ& piX K( F&if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=3531e679-4a51-49c1-87e2-134066b13c3d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NSS vers"":[],"" ]Ɋ& ceqKu( F&me= CommandType= ScriptName= CommandPath= CommandLine=ow yle Hidden - ]Ɋ& psUJ-( F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`ndLine== Xo=F<ElfChnk(((((ex~뒙Mu=VysMc&&**0( K ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X K( F&F%g>9{p(xlMD EventDatauoData !Binary` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ba45a216-d27b-4df7-b935-758c9cdf4ad8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0( K ]Ɋ&  !X K( F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ba45a216-d27b-4df7-b935-758c9cdf4ad8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ta0**( K ]Ɋ&  ! K( F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ba45a216-d27b-4df7-b935-758c9cdf4ad8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=88cbfb34-698f-4209-8372-07e5bbe3657e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {**(K ]Ɋ&  !K( F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=ba45a216-d27b-4df7-b935-758c9cdf4ad8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=88cbfb34-698f-4209-8372-07e5bbe3657e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=in32** (K ]Ɋ&  !XK( F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=06c7ed37-48c2-465c-8bb5-3d664f2971e5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** (K ]Ɋ&  !XK( F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=06c7ed37-48c2-465c-8bb5-3d664f2971e5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** (K ]Ɋ&  !XK( F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=06c7ed37-48c2-465c-8bb5-3d664f2971e5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lec ** (K ]Ɋ&  !XK( F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=06c7ed37-48c2-465c-8bb5-3d664f2971e5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e | ** (K ]Ɋ&  !XK( F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=06c7ed37-48c2-465c-8bb5-3d664f2971e5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-4c ** (K ]Ɋ&  !XK( F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=06c7ed37-48c2-465c-8bb5-3d664f2971e5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bj ** (K ]Ɋ& e !K( F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=06c7ed37-48c2-465c-8bb5-3d664f2971e5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=9e877cbd-64aa-466a-8fa7-8364c641c76b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0- **X(;K ]Ɋ&  !X;K( F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c6254b36-7f89-4bd1-a872-c701cc627e7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t X**p(;K ]Ɋ&  !X;K( F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c6254b36-7f89-4bd1-a872-c701cc627e7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 1p**p(;K ]Ɋ&  !X;K( F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c6254b36-7f89-4bd1-a872-c701cc627e7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Commp**h(;K ]Ɋ&  !X;K( F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c6254b36-7f89-4bd1-a872-c701cc627e7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=soleh**h(;K ]Ɋ&  !X;K( F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c6254b36-7f89-4bd1-a872-c701cc627e7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.0 h**h(;K ]Ɋ&  !X;K( F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c6254b36-7f89-4bd1-a872-c701cc627e7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=df7h**(;K ]Ɋ&  !;K( F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c6254b36-7f89-4bd1-a872-c701cc627e7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=4e6a4fd6-6839-4124-90d3-9de2caefb793 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onI**(;K ]Ɋ& !;K( F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c6254b36-7f89-4bd1-a872-c701cc627e7c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=4e6a4fd6-6839-4124-90d3-9de2caefb793 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=odKill = $tru ]Ɋ& roX;K( F&Pattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=3531e679-4a51-49c1-87e2-134066b13c3d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NSS vers"":[],"" ]Ɋ& ceqKu( F&me= CommandType= ScriptName= CommandPath= CommandLine=ow yle Hidden - ]Ɋ& psUJ-( F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`ndLine== Xo=F<ElfChnk((((6}:H_@Mu=VysMc&&**`(;K ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! =!X;K( F&F%g>9{p(xlMD EventDatauoData !Binary AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b0ef7821-8c06-4dfa-a83c-47e2e7973b78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=`**p(;K ]Ɋ&  !X;K( F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b0ef7821-8c06-4dfa-a83c-47e2e7973b78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**p(;K ]Ɋ&  !X;K( F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b0ef7821-8c06-4dfa-a83c-47e2e7973b78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h(;K ]Ɋ&  !X;K( F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b0ef7821-8c06-4dfa-a83c-47e2e7973b78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h(;K ]Ɋ&  !X;K( F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b0ef7821-8c06-4dfa-a83c-47e2e7973b78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=IPv4h**h(;K ]Ɋ&  !X;K( F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b0ef7821-8c06-4dfa-a83c-47e2e7973b78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=manh**(;K ]Ɋ&  !;K( F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b0ef7821-8c06-4dfa-a83c-47e2e7973b78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d85232c8-8b14-4b86-9818-4a0ef2793eda PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x -**(;K ]Ɋ& !;K( F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b0ef7821-8c06-4dfa-a83c-47e2e7973b78 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=d85232c8-8b14-4b86-9818-4a0ef2793eda PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=j** (;K ]Ɋ& q !;K( F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=06c7ed37-48c2-465c-8bb5-3d664f2971e5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=9e877cbd-64aa-466a-8fa7-8364c641c76b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=( **(;K ]Ɋ& 7!X;K( F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=c3df3f01-2391-471e-8da8-c0ae4895d30b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=E**(;K ]Ɋ& O!X;K( F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=c3df3f01-2391-471e-8da8-c0ae4895d30b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **(;K ]Ɋ& K!X;K( F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=c3df3f01-2391-471e-8da8-c0ae4895d30b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=TH **(;K ]Ɋ& C!X;K( F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=c3df3f01-2391-471e-8da8-c0ae4895d30b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) {**(;K ]Ɋ& C!X;K( F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=c3df3f01-2391-471e-8da8-c0ae4895d30b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=vid**(;K ]Ɋ& E!X;K( F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=c3df3f01-2391-471e-8da8-c0ae4895d30b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=)"**@(;K ]Ɋ& !;K( F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=c3df3f01-2391-471e-8da8-c0ae4895d30b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=e2fffa7d-2b23-48b1-ab45-7aa8208d0a09 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:$@**P(JK ]Ɋ& !JK( F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=c3df3f01-2391-471e-8da8-c0ae4895d30b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=e2fffa7d-2b23-48b1-ab45-7aa8208d0a09 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= WP**H(HK ]Ɋ& !XHK( F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9361cf3f-44ab-4b09-9b65-ca61756dbf9f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`(HK ]Ɋ& !XHK( F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9361cf3f-44ab-4b09-9b65-ca61756dbf9f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P`**`(HK ]Ɋ& !XHK( F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9361cf3f-44ab-4b09-9b65-ca61756dbf9f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { `**X(HK ]Ɋ& !XHK( F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9361cf3f-44ab-4b09-9b65-ca61756dbf9f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y UX**X(HK ]Ɋ& !XHK( F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9361cf3f-44ab-4b09-9b65-ca61756dbf9f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**X(HK ]Ɋ& !XHK( F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9361cf3f-44ab-4b09-9b65-ca61756dbf9f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ioX**(HK ]Ɋ& !HK( F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9361cf3f-44ab-4b09-9b65-ca61756dbf9f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=e2ccef12-b4a9-469f-a08e-18a5be115f35 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} **(VK ]Ɋ&  !VK( F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9361cf3f-44ab-4b09-9b65-ca61756dbf9f HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=e2ccef12-b4a9-469f-a08e-18a5be115f35 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **(NBK ]Ɋ& K!XNBK( F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ad86ab5a-eac5-49d9-afde-21a68e1343d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **(NBK ]Ɋ& c!XNBK( F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ad86ab5a-eac5-49d9-afde-21a68e1343d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **(NBK ]Ɋ& _!XNBK( F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ad86ab5a-eac5-49d9-afde-21a68e1343d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**(NBK ]Ɋ& W!XNBK( F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ad86ab5a-eac5-49d9-afde-21a68e1343d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=M**(NBK ]Ɋ& W!XNBK( F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ad86ab5a-eac5-49d9-afde-21a68e1343d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**(NBK ]Ɋ& Y!XNBK( F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ad86ab5a-eac5-49d9-afde-21a68e1343d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= EnneVersion=4. ]Ɋ& 3cNBK( F&e= CommandType= ScriptName= CommandPath= CommandLine=NSS vers"":[],"" ]Ɋ& ceqKu( F&me= CommandType= ScriptName= CommandPath= CommandLine=ow yle Hidden - ]Ɋ& psUJ-( F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`ndLine== Xo=F<ElfChnk((((8xe3Mu=VysMc&&**X (NBK ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! 9!NBK( F&F%g>9{p(xlMD EventDatauoData !BinaryAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ad86ab5a-eac5-49d9-afde-21a68e1343d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b1b6ff65-03d7-48f8-a1cf-37e09372e771 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iX **`(NBK ]Ɋ& !NBK( F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ad86ab5a-eac5-49d9-afde-21a68e1343d6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b1b6ff65-03d7-48f8-a1cf-37e09372e771 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i`** (NBK ]Ɋ& w !XNBK( F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=cfd801e5-e18b-41e6-a044-5cad76c8f736 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8(NBK ]Ɋ&  !XNBK( F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=cfd801e5-e18b-41e6-a044-5cad76c8f736 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l8**8(NBK ]Ɋ&  !XNBK( F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=cfd801e5-e18b-41e6-a044-5cad76c8f736 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=re 8**0(NBK ]Ɋ&  !XNBK( F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=cfd801e5-e18b-41e6-a044-5cad76c8f736 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tch0**0(NBK ]Ɋ&  !XNBK( F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=cfd801e5-e18b-41e6-a044-5cad76c8f736 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0(NBK ]Ɋ&  !XNBK( F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=cfd801e5-e18b-41e6-a044-5cad76c8f736 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ch0**(NBK ]Ɋ&  !NBK( F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=cfd801e5-e18b-41e6-a044-5cad76c8f736 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3e54c290-ede3-4f4a-8e62-53fb6b40c705 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ek**(ڸK ]Ɋ&  !ڸK( F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=cfd801e5-e18b-41e6-a044-5cad76c8f736 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3e54c290-ede3-4f4a-8e62-53fb6b40c705 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Star** (ڸK ]Ɋ&  !XڸK( F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=62e43e28-e496-442e-bcc7-fa6a623834a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a ** (ڸK ]Ɋ&  !XڸK( F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=62e43e28-e496-442e-bcc7-fa6a623834a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=- ** (ڸK ]Ɋ&  !XڸK( F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=62e43e28-e496-442e-bcc7-fa6a623834a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** (ڸK ]Ɋ&  !XڸK( F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=62e43e28-e496-442e-bcc7-fa6a623834a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= | ** (ڸK ]Ɋ&  !XڸK( F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=62e43e28-e496-442e-bcc7-fa6a623834a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==1 ** (ڸK ]Ɋ&  !XڸK( F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=62e43e28-e496-442e-bcc7-fa6a623834a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=te ** (ڸK ]Ɋ& e !ڸK( F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=62e43e28-e496-442e-bcc7-fa6a623834a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=af6919c7-22b3-481b-86a1-d618657a464b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  ** ({sK ]Ɋ& q !{sK( F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=62e43e28-e496-442e-bcc7-fa6a623834a7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=af6919c7-22b3-481b-86a1-d618657a464b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=( **({sK ]Ɋ& 7!X{sK( F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=821cc5ba-a893-4703-8787-0f585b2f7aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**({sK ]Ɋ& O!X{sK( F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=821cc5ba-a893-4703-8787-0f585b2f7aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i**({sK ]Ɋ& K!X{sK( F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=821cc5ba-a893-4703-8787-0f585b2f7aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t **({sK ]Ɋ& C!X{sK( F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=821cc5ba-a893-4703-8787-0f585b2f7aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nso**({sK ]Ɋ& C!X{sK( F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=821cc5ba-a893-4703-8787-0f585b2f7aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tNa**({sK ]Ɋ& E!X{sK( F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=821cc5ba-a893-4703-8787-0f585b2f7aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **@({sK ]Ɋ& !{sK( F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=821cc5ba-a893-4703-8787-0f585b2f7aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=3c071fe7-e948-4d2b-b4d6-bb4a9a6260e6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@ce ]Ɋ& pt K( F&dLine=ow yle Hidden - ]Ɋ& psUJ-( F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`ndLine== Xo=F<ElfChnk((((~cŃMu=VysMc&&**P ( K ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! 1! K( F&F%g>9{p(xlMD EventDatauoData !Binary~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=821cc5ba-a893-4703-8787-0f585b2f7aa3 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=3c071fe7-e948-4d2b-b4d6-bb4a9a6260e6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=P **H(*IL ]Ɋ& !X*IL( F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ddce8beb-eaf3-42e4-9a24-54c01850aeb4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=zH**`(*IL ]Ɋ& !X*IL( F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ddce8beb-eaf3-42e4-9a24-54c01850aeb4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p`**`(*IL ]Ɋ& !X*IL( F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ddce8beb-eaf3-42e4-9a24-54c01850aeb4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**X(*IL ]Ɋ& !X*IL( F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ddce8beb-eaf3-42e4-9a24-54c01850aeb4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 1 X**X(*IL ]Ɋ& !X*IL( F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ddce8beb-eaf3-42e4-9a24-54c01850aeb4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ProX**X(*IL ]Ɋ& !X*IL( F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ddce8beb-eaf3-42e4-9a24-54c01850aeb4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) X**(*IL ]Ɋ& !*IL( F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ddce8beb-eaf3-42e4-9a24-54c01850aeb4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=0e58a90d-93ae-4a63-9d09-bc6539a225ab PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on**(JL ]Ɋ&  !JL( F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ddce8beb-eaf3-42e4-9a24-54c01850aeb4 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=0e58a90d-93ae-4a63-9d09-bc6539a225ab PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= FӸ**(kL ]Ɋ& K!XkL( F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=263d62f9-38c4-4a63-8629-d0875a53f4fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1 **(kL ]Ɋ& c!XkL( F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=263d62f9-38c4-4a63-8629-d0875a53f4fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$cf**(kL ]Ɋ& _!XkL( F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=263d62f9-38c4-4a63-8629-d0875a53f4fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**(kL ]Ɋ& W!XkL( F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=263d62f9-38c4-4a63-8629-d0875a53f4fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=D**(kL ]Ɋ& W!XkL( F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=263d62f9-38c4-4a63-8629-d0875a53f4fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**(kL ]Ɋ& Y!XkL( F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=263d62f9-38c4-4a63-8629-d0875a53f4fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y ne**X(kL ]Ɋ& !kL( F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=263d62f9-38c4-4a63-8629-d0875a53f4fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=cfb32565-7688-4f54-b3d2-f91c4c0cc69c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=XX**`(kL ]Ɋ& !kL( F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=263d62f9-38c4-4a63-8629-d0875a53f4fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=cfb32565-7688-4f54-b3d2-f91c4c0cc69c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er`** (kL ]Ɋ& w !XkL( F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=72d73fcb-04b4-4fcf-8bd2-79e6207c78ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d **8(kL ]Ɋ&  !XkL( F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=72d73fcb-04b4-4fcf-8bd2-79e6207c78ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=O8**8(kL ]Ɋ&  !XkL( F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=72d73fcb-04b4-4fcf-8bd2-79e6207c78ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rIn8**0(kL ]Ɋ&  !XkL( F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=72d73fcb-04b4-4fcf-8bd2-79e6207c78ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pr0**0(kL ]Ɋ&  !XkL( F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=72d73fcb-04b4-4fcf-8bd2-79e6207c78ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= +=0**0(kL ]Ɋ&  !XkL( F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=72d73fcb-04b4-4fcf-8bd2-79e6207c78ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=*0**(kL ]Ɋ&  !kL( F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=72d73fcb-04b4-4fcf-8bd2-79e6207c78ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=1ee42ca7-7a1e-4d21-8711-7d6d046b3c77 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ad**(CkL ]Ɋ&  !CkL( F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=72d73fcb-04b4-4fcf-8bd2-79e6207c78ce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=1ee42ca7-7a1e-4d21-8711-7d6d046b3c77 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=6a1-** (CkL ]Ɋ&  !XCkL( F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=cc62ecb6-e347-40e6-be74-e50ca5ee24fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y ** (CkL ]Ɋ&  !XCkL( F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=cc62ecb6-e347-40e6-be74-e50ca5ee24fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i ** (CkL ]Ɋ&  !XCkL( F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=cc62ecb6-e347-40e6-be74-e50ca5ee24fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=to ** (CkL ]Ɋ&  !XCkL( F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=cc62ecb6-e347-40e6-be74-e50ca5ee24fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-No nteractive - ]Ɋ& -NXCkL( F&.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=3c071fe7-e948-4d2b-b4d6-bb4a9a6260e6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@ce ]Ɋ& pt K( F&dLine=ow yle Hidden - ]Ɋ& psUJ-( F&Id= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m`ndLine== Xo=F<ElfChnk()()p#'>|Mu=VysMc&&** (CkL ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !XCkL( F&F%g>9{p(xlMD EventDatauoData !BinaryRegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=cc62ecb6-e347-40e6-be74-e50ca5ee24fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** (CkL ]Ɋ&  !XCkL( F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=cc62ecb6-e347-40e6-be74-e50ca5ee24fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=& ** (CkL ]Ɋ& e !CkL( F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=cc62ecb6-e347-40e6-be74-e50ca5ee24fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=361f5576-811b-4294-932e-934f42aae146 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tN ** (ClL ]Ɋ& q !ClL( F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=cc62ecb6-e347-40e6-be74-e50ca5ee24fe HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=361f5576-811b-4294-932e-934f42aae146 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rofi **(ClL ]Ɋ& 7!XClL( F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9e1f815a-662b-4cee-8764-f37af217a13b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S**(ClL ]Ɋ& O!XClL( F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9e1f815a-662b-4cee-8764-f37af217a13b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=O**(ClL ]Ɋ& K!XClL( F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9e1f815a-662b-4cee-8764-f37af217a13b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} |**(ClL ]Ɋ& C!XClL( F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9e1f815a-662b-4cee-8764-f37af217a13b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e -**(ClL ]Ɋ& C!XClL( F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9e1f815a-662b-4cee-8764-f37af217a13b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Dri**(ClL ]Ɋ& E!XClL( F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9e1f815a-662b-4cee-8764-f37af217a13b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -**@(ClL ]Ɋ& !ClL( F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9e1f815a-662b-4cee-8764-f37af217a13b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=af04d1be-8f1a-4607-b42c-8e5417391746 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= F@**P(plL ]Ɋ& !plL( F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9e1f815a-662b-4cee-8764-f37af217a13b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=af04d1be-8f1a-4607-b42c-8e5417391746 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pe -P**H(L ]Ɋ& !XL( F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9acfb9e0-840b-42b5-8581-51dc6153f1cc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tH**`)L ]Ɋ& !XL) F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9acfb9e0-840b-42b5-8581-51dc6153f1cc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`)L ]Ɋ& !XL) F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9acfb9e0-840b-42b5-8581-51dc6153f1cc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_.I`**X)L ]Ɋ& !XL) F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9acfb9e0-840b-42b5-8581-51dc6153f1cc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**X)L ]Ɋ& !XL) F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9acfb9e0-840b-42b5-8581-51dc6153f1cc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GetX**X)L ]Ɋ& !XL) F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9acfb9e0-840b-42b5-8581-51dc6153f1cc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-X**)L ]Ɋ& !L) F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9acfb9e0-840b-42b5-8581-51dc6153f1cc HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=72e45bf0-e35e-43fe-bfc8-f85d644de1df PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pt**H)UM ]Ɋ& !XUM) F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5f4d1330-1bbd-4904-86e3-9a0311a6cdc2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eH**`)UM ]Ɋ& !XUM) F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5f4d1330-1bbd-4904-86e3-9a0311a6cdc2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o`**`)UM ]Ɋ& !XUM) F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5f4d1330-1bbd-4904-86e3-9a0311a6cdc2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lic`**X )UM ]Ɋ& !XUM ) F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5f4d1330-1bbd-4904-86e3-9a0311a6cdc2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=AvX**X )UM ]Ɋ& !XUM ) F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5f4d1330-1bbd-4904-86e3-9a0311a6cdc2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 X**X )UM ]Ɋ& !XUM ) F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5f4d1330-1bbd-4904-86e3-9a0311a6cdc2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=NeX** )UM ]Ɋ& !UM ) F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5f4d1330-1bbd-4904-86e3-9a0311a6cdc2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=f6838f37-7b72-4fb3-a226-5f5a408fdae0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e\**  )2M ]Ɋ& w !X2M ) F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5493a60b-899a-4b93-9198-ef433acfc730 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d **8)2M ]Ɋ&  !X2M) F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5493a60b-899a-4b93-9198-ef433acfc730 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l8**8)2M ]Ɋ&  !X2M) F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5493a60b-899a-4b93-9198-ef433acfc730 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Wmi8**0)2M ]Ɋ&  !X2M) F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5493a60b-899a-4b93-9198-ef433acfc730 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ver0**0)2M ]Ɋ&  !X2M) F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5493a60b-899a-4b93-9198-ef433acfc730 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=New0**0)2M ]Ɋ&  !X2M) F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5493a60b-899a-4b93-9198-ef433acfc730 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=an0**)2M ]Ɋ&  !2M) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5493a60b-899a-4b93-9198-ef433acfc730 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ba38c46a-d155-40d5-93e8-deadf0dea7a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nY= ]Ɋ& ȍM) F& F&nath= X5ElfChnk)%))%)U[Mu=VysMc&&**)ȍM ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! q!ȍM) F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=5493a60b-899a-4b93-9198-ef433acfc730 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ba38c46a-d155-40d5-93e8-deadf0dea7a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s** )ȍM ]Ɋ&  !XȍM) F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ed91f108-4b53-4dbf-8243-32be353e2b17 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er ** )ȍM ]Ɋ&  !XȍM) F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ed91f108-4b53-4dbf-8243-32be353e2b17 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o- ** )ȍM ]Ɋ&  !XȍM) F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ed91f108-4b53-4dbf-8243-32be353e2b17 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** )ȍM ]Ɋ&  !XȍM) F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ed91f108-4b53-4dbf-8243-32be353e2b17 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e' - ** )ȍM ]Ɋ&  !XȍM) F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ed91f108-4b53-4dbf-8243-32be353e2b17 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=here ** )ȍM ]Ɋ&  !XȍM) F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ed91f108-4b53-4dbf-8243-32be353e2b17 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e - ** )ȍM ]Ɋ& ; !ȍM) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ed91f108-4b53-4dbf-8243-32be353e2b17 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=e8c9eea4-1112-46f4-8567-b9d266034641 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me= ** )_&M ]Ɋ& G !_&M) F&$ StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ed91f108-4b53-4dbf-8243-32be353e2b17 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=e8c9eea4-1112-46f4-8567-b9d266034641 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=l **X)WM ]Ɋ&  !XWM) F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b846bf6e-b7e6-4785-9162-c046d6dafe74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mmX**p)WM ]Ɋ&  !XWM) F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b846bf6e-b7e6-4785-9162-c046d6dafe74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Rep**p)WM ]Ɋ&  !XWM) F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b846bf6e-b7e6-4785-9162-c046d6dafe74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a60bp**h )WM ]Ɋ&  !XWM ) F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b846bf6e-b7e6-4785-9162-c046d6dafe74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=3acfh**h!)WM ]Ɋ&  !XWM!) F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b846bf6e-b7e6-4785-9162-c046d6dafe74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==powh**h")WM ]Ɋ&  !XWM") F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b846bf6e-b7e6-4785-9162-c046d6dafe74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onIh**#)WM ]Ɋ&  !WM#) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b846bf6e-b7e6-4785-9162-c046d6dafe74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5b141467-bded-49b0-964e-4ace8be8209f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ce **$)"M ]Ɋ& !"M$) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b846bf6e-b7e6-4785-9162-c046d6dafe74 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=5b141467-bded-49b0-964e-4ace8be8209f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o** %)"M ]Ɋ& w !X"M%) F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=242d607a-3209-4c8b-b2b3-66813b3939fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=E orAction Sil ]Ɋ& stX"M&) F&ort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ba38c46a-d155-40d5-93e8-deadf0dea7a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nY= ]Ɋ& ȍM) F& F&nath= X5ElfChnk&);)&);)HwAi$6Mu=VysMc&&**@&)"M ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X"M&) F&F%g>9{p(xlMD EventDatauoData !Binaryl EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=242d607a-3209-4c8b-b2b3-66813b3939fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pt@**8')"M ]Ɋ&  !X"M') F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=242d607a-3209-4c8b-b2b3-66813b3939fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=wer8**0()"M ]Ɋ&  !X"M() F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=242d607a-3209-4c8b-b2b3-66813b3939fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 3 0**0))"M ]Ɋ&  !X"M)) F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=242d607a-3209-4c8b-b2b3-66813b3939fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i0**0*)"M ]Ɋ&  !X"M*) F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=242d607a-3209-4c8b-b2b3-66813b3939fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ig0**+)"M ]Ɋ&  !"M+) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=242d607a-3209-4c8b-b2b3-66813b3939fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=431676f4-9c07-482b-925b-b7233407ddfc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nu**,)M ]Ɋ&  !M,) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=242d607a-3209-4c8b-b2b3-66813b3939fb HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=431676f4-9c07-482b-925b-b7233407ddfc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Time**`-)M ]Ɋ& !XM-) F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a042f674-075d-4449-9e80-c1aa3db4be7a HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-wuikv4uy.pyc.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**x.)M ]Ɋ& !XM.) F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a042f674-075d-4449-9e80-c1aa3db4be7a HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-wuikv4uy.pyc.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Namx**p/)M ]Ɋ& !XM/) F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a042f674-075d-4449-9e80-c1aa3db4be7a HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-wuikv4uy.pyc.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= p**h0)M ]Ɋ& !XM0) F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a042f674-075d-4449-9e80-c1aa3db4be7a HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-wuikv4uy.pyc.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sh**h1)M ]Ɋ& !XM1) F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a042f674-075d-4449-9e80-c1aa3db4be7a HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-wuikv4uy.pyc.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oh**p2)M ]Ɋ& !XM2) F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a042f674-075d-4449-9e80-c1aa3db4be7a HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-wuikv4uy.pyc.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= p**3)M ]Ɋ& !M3) F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a042f674-075d-4449-9e80-c1aa3db4be7a HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-wuikv4uy.pyc.ps1 EngineVersion=4.0 RunspaceId=29af22ea-c27f-4915-9254-d19dcb8282f1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ject**4)M ]Ɋ& !M4) F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=a042f674-075d-4449-9e80-c1aa3db4be7a HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\Windows\TEMP\neptune-install-wuikv4uy.pyc.ps1 EngineVersion=4.0 RunspaceId=29af22ea-c27f-4915-9254-d19dcb8282f1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C** 5)M ]Ɋ& w !XM5) F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e657f6d2-c6a6-4d66-a2fb-a2896a4d0a5b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **86)M ]Ɋ&  !XM6) F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e657f6d2-c6a6-4d66-a2fb-a2896a4d0a5b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**87)M ]Ɋ&  !XM7) F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e657f6d2-c6a6-4d66-a2fb-a2896a4d0a5b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=R:$8**08)M ]Ɋ&  !XM8) F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e657f6d2-c6a6-4d66-a2fb-a2896a4d0a5b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=atc0**09)M ]Ɋ&  !XM9) F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e657f6d2-c6a6-4d66-a2fb-a2896a4d0a5b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$($0**0:)M ]Ɋ&  !XM:) F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e657f6d2-c6a6-4d66-a2fb-a2896a4d0a5b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ll0**;)M ]Ɋ&  !M;) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e657f6d2-c6a6-4d66-a2fb-a2896a4d0a5b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=9a8e5b7d-0d7e-48c3-b922-5d0de688cff8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.DaultIPGatewa ]Ɋ&  yM<) F&cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=E orAction Sil ]Ɋ& stX"M&) F&ort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ba38c46a-d155-40d5-93e8-deadf0dea7a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nY= ]Ɋ& ȍM) F& F&nath= X5ElfChnk<)N)<)N) p<;Mu=VysMc&&**<)yM ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! q!yM<) F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=e657f6d2-c6a6-4d66-a2fb-a2896a4d0a5b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=9a8e5b7d-0d7e-48c3-b922-5d0de688cff8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** =)yM ]Ɋ&  !XyM=) F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=bc344c22-4a4b-4763-a1de-fb1db7a5526c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.I ** >)yM ]Ɋ&  !XyM>) F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=bc344c22-4a4b-4763-a1de-fb1db7a5526c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=an ** ?)yM ]Ɋ&  !XyM?) F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=bc344c22-4a4b-4763-a1de-fb1db7a5526c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** @)yM ]Ɋ&  !XyM@) F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=bc344c22-4a4b-4763-a1de-fb1db7a5526c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=atio ** A)yM ]Ɋ&  !XyMA) F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=bc344c22-4a4b-4763-a1de-fb1db7a5526c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** B)yM ]Ɋ&  !XyMB) F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=bc344c22-4a4b-4763-a1de-fb1db7a5526c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if ** C)yM ]Ɋ& ; !yMC) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=bc344c22-4a4b-4763-a1de-fb1db7a5526c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=058bbfd9-b4a2-49b4-bf88-b4d4d47b8952 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=abl **D)yM ]Ɋ&  !yMD) F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5f4d1330-1bbd-4904-86e3-9a0311a6cdc2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=f6838f37-7b72-4fb3-a226-5f5a408fdae0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** E)!M ]Ɋ& G !!ME) F&$ StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=bc344c22-4a4b-4763-a1de-fb1db7a5526c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch {} try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch {} EngineVersion=4.0 RunspaceId=058bbfd9-b4a2-49b4-bf88-b4d4d47b8952 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i **XF)۸M ]Ɋ&  !X۸MF) F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4e13d979-934a-4710-b5de-a03c4bb3aff7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**pG)۸M ]Ɋ&  !X۸MG) F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4e13d979-934a-4710-b5de-a03c4bb3aff7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rop**pH)۸M ]Ɋ&  !X۸MH) F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4e13d979-934a-4710-b5de-a03c4bb3aff7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= trp**hI)۸M ]Ɋ&  !X۸MI) F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4e13d979-934a-4710-b5de-a03c4bb3aff7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= = Gh**hJ)۸M ]Ɋ&  !X۸MJ) F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4e13d979-934a-4710-b5de-a03c4bb3aff7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Indeh**hK)۸M ]Ɋ&  !X۸MK) F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4e13d979-934a-4710-b5de-a03c4bb3aff7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Errh**L)۸M ]Ɋ&  !۸ML) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4e13d979-934a-4710-b5de-a03c4bb3aff7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=7949261e-e605-4921-9b09-5e6c954280d8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=($a**M){tM ]Ɋ& !{tMM) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4e13d979-934a-4710-b5de-a03c4bb3aff7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=7949261e-e605-4921-9b09-5e6c954280d8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-** N){tM ]Ɋ& w !X{tMN) F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=97b0a224-956a-4d35-90b2-a52387dfacce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o e and try ne ]Ɋ& noX{tMO) F&$mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ba38c46a-d155-40d5-93e8-deadf0dea7a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nY= ]Ɋ& ȍM) F& F&nath= X5ElfChnkO)_)O)_)Xۀ Mu=VysMc&&**@O){tM ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X{tMO) F&F%g>9{p(xlMD EventDatauoData !Binaryl EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=97b0a224-956a-4d35-90b2-a52387dfacce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pt@**8P){tM ]Ɋ&  !X{tMP) F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=97b0a224-956a-4d35-90b2-a52387dfacce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=wer8**0Q){tM ]Ɋ&  !X{tMQ) F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=97b0a224-956a-4d35-90b2-a52387dfacce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 3 0**0R){tM ]Ɋ&  !X{tMR) F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=97b0a224-956a-4d35-90b2-a52387dfacce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i0**0S){tM ]Ɋ&  !X{tMS) F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=97b0a224-956a-4d35-90b2-a52387dfacce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ig0**T){tM ]Ɋ&  !{tMT) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=97b0a224-956a-4d35-90b2-a52387dfacce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=4a000187-df52-4d65-b529-6dd354b7bf97 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nu**U) M ]Ɋ&  ! MU) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=97b0a224-956a-4d35-90b2-a52387dfacce HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=4a000187-df52-4d65-b529-6dd354b7bf97 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ineI**XV)M ]Ɋ&  !XMV) F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8eabe3c5-4187-4f25-a801-ece4885b76dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**pW)M ]Ɋ&  !XMW) F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8eabe3c5-4187-4f25-a801-ece4885b76dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= p**pX)M ]Ɋ&  !XMX) F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8eabe3c5-4187-4f25-a801-ece4885b76dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Hp**hY)M ]Ɋ&  !XMY) F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8eabe3c5-4187-4f25-a801-ece4885b76dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Hh**hZ)M ]Ɋ&  !XMZ) F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8eabe3c5-4187-4f25-a801-ece4885b76dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Hh**h[)M ]Ɋ&  !XM[) F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8eabe3c5-4187-4f25-a801-ece4885b76dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= h**\)M ]Ɋ&  !M\) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8eabe3c5-4187-4f25-a801-ece4885b76dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=3dc35be3-a5d9-41fb-837d-bf0e4b376529 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bb3**])M ]Ɋ& !M]) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=8eabe3c5-4187-4f25-a801-ece4885b76dd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=3dc35be3-a5d9-41fb-837d-bf0e4b376529 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=b**X^);M ]Ɋ&  !X;M^) F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6346dd5d-6077-4add-9655-aebe81247299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**p_);M ]Ɋ&  !X;M_) F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6346dd5d-6077-4add-9655-aebe81247299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ecp{ $_.IPEnabl ]Ɋ& } X;M`) F&} else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ba38c46a-d155-40d5-93e8-deadf0dea7a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nY= ]Ɋ& ȍM) F& F&nath= X5ElfChnk`)p)`)p)X;g  Mu=VysMc&&**p`);M ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! Q!X;M`) F&F%g>9{p(xlMD EventDatauoData !Binary FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6346dd5d-6077-4add-9655-aebe81247299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**ha);M ]Ɋ&  !X;Ma) F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6346dd5d-6077-4add-9655-aebe81247299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**hb);M ]Ɋ&  !X;Mb) F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6346dd5d-6077-4add-9655-aebe81247299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Mh**hc);M ]Ɋ&  !X;Mc) F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6346dd5d-6077-4add-9655-aebe81247299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iabh**d);M ]Ɋ&  !;Md) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6346dd5d-6077-4add-9655-aebe81247299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=eec797fa-300e-4fdd-a0ef-364c21f32b96 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Se**e);M ]Ɋ& !;Me) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6346dd5d-6077-4add-9655-aebe81247299 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=eec797fa-300e-4fdd-a0ef-364c21f32b96 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a** f);M ]Ɋ& w !X;Mf) F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=35b28566-5a63-44d0-a796-f4e5b7424226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a **8g);M ]Ɋ&  !X;Mg) F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=35b28566-5a63-44d0-a796-f4e5b7424226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==8**8h);M ]Ɋ&  !X;Mh) F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=35b28566-5a63-44d0-a796-f4e5b7424226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eSy8**0i);M ]Ɋ&  !X;Mi) F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=35b28566-5a63-44d0-a796-f4e5b7424226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0j);M ]Ɋ&  !X;Mj) F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=35b28566-5a63-44d0-a796-f4e5b7424226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0k);M ]Ɋ&  !X;Mk) F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=35b28566-5a63-44d0-a796-f4e5b7424226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**l);M ]Ɋ&  !;Ml) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=35b28566-5a63-44d0-a796-f4e5b7424226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=463b93c7-83f5-4b6e-beac-dd7080682d9b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**m)M ]Ɋ&  !Mm) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=35b28566-5a63-44d0-a796-f4e5b7424226 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=463b93c7-83f5-4b6e-beac-dd7080682d9b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=])**n)M ]Ɋ&  !XMn) F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=61bdec70-9e41-44f9-94ef-54e51ed07b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndLi**o)M ]Ɋ&  !XMo) F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=61bdec70-9e41-44f9-94ef-54e51ed07b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**p)M ]Ɋ& !XMp) F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=61bdec70-9e41-44f9-94ef-54e51ed07b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=;`)  ]Ɋ& s XMq) F&tion | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ba38c46a-d155-40d5-93e8-deadf0dea7a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nY= ]Ɋ& ȍM) F& F&nath= X5ElfChnkq))q))xqMu=VysMc&&**q)M ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XMq) F&F%g>9{p(xlMD EventDatauoData !Binary FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=61bdec70-9e41-44f9-94ef-54e51ed07b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**r)M ]Ɋ&  !XMr) F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=61bdec70-9e41-44f9-94ef-54e51ed07b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**s)M ]Ɋ&  !XMs) F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=61bdec70-9e41-44f9-94ef-54e51ed07b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**t)M ]Ɋ& O!Mt) F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=61bdec70-9e41-44f9-94ef-54e51ed07b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=da6c4ded-e3f7-49ec-af25-d657cebdaf8e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **u)hM ]Ɋ& [!hMu) F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=61bdec70-9e41-44f9-94ef-54e51ed07b91 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=da6c4ded-e3f7-49ec-af25-d657cebdaf8e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e=C**8 v)KM ]Ɋ&  !XKMv) F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=28b7481e-e30d-4031-a71d-8ca01a8746c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=;8 **P w)KM ]Ɋ&  !XKMw) F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=28b7481e-e30d-4031-a71d-8ca01a8746c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== P **P x)KM ]Ɋ&  !XKMx) F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=28b7481e-e30d-4031-a71d-8ca01a8746c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if (P **H y)KM ]Ɋ&  !XKMy) F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=28b7481e-e30d-4031-a71d-8ca01a8746c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ratiH **H z)KM ]Ɋ&  !XKMz) F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=28b7481e-e30d-4031-a71d-8ca01a8746c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $_.H **H {)KM ]Ɋ&  !XKM{) F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=28b7481e-e30d-4031-a71d-8ca01a8746c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=imIH ** |)KM ]Ɋ&  !KM|) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=28b7481e-e30d-4031-a71d-8ca01a8746c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=5689c06d-bcd2-4102-a621-baf6fa0247c8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t-C ** })KM ]Ɋ&  !KM}) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=28b7481e-e30d-4031-a71d-8ca01a8746c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=5689c06d-bcd2-4102-a621-baf6fa0247c8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c ** ~)KM ]Ɋ& w !XKM~) F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=75f63446-4b04-4b70-b365-0596b2edae1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t **8)KM ]Ɋ&  !XKM) F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=75f63446-4b04-4b70-b365-0596b2edae1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=k8**8)KM ]Ɋ&  !XKM) F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=75f63446-4b04-4b70-b365-0596b2edae1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s s8**0)KM ]Ɋ&  !XKM) F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=75f63446-4b04-4b70-b365-0596b2edae1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tas0settings: $_ ]Ɋ& unXKM) F&p try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=;`)  ]Ɋ& s XMq) F&tion | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=ba38c46a-d155-40d5-93e8-deadf0dea7a6 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nY= ]Ɋ& ȍM) F& F&nath= X5ElfChnk)))), Mu=VysMc&&**0)KM ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XKM) F&F%g>9{p(xlMD EventDatauoData !Binary` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=75f63446-4b04-4b70-b365-0596b2edae1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0)KM ]Ɋ&  !XKM) F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=75f63446-4b04-4b70-b365-0596b2edae1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**)KM ]Ɋ&  !KM) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=75f63446-4b04-4b70-b365-0596b2edae1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=539cc54a-bf92-479e-938c-c185efa641f1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oo**)M ]Ɋ&  !M) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=75f63446-4b04-4b70-b365-0596b2edae1b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=539cc54a-bf92-479e-938c-c185efa641f1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Coul**)M ]Ɋ& K!XM) F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=89301245-d340-426c-8315-8cd3a7e62bf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ont**)M ]Ɋ& c!XM) F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=89301245-d340-426c-8315-8cd3a7e62bf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-Sc**)M ]Ɋ& _!XM) F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=89301245-d340-426c-8315-8cd3a7e62bf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**)M ]Ɋ& W!XM) F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=89301245-d340-426c-8315-8cd3a7e62bf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-**)M ]Ɋ& W!XM) F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=89301245-d340-426c-8315-8cd3a7e62bf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**)M ]Ɋ& Y!XM) F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=89301245-d340-426c-8315-8cd3a7e62bf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ppid**X)M ]Ɋ& !M) F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=89301245-d340-426c-8315-8cd3a7e62bf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b724bd7a-bedf-434c-be8a-3d1e235be994 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=elinX**`),}M ]Ɋ& !,}M) F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=89301245-d340-426c-8315-8cd3a7e62bf0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=b724bd7a-bedf-434c-be8a-3d1e235be994 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) `** ),}M ]Ɋ& w !X,}M) F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=144dab7f-bfd5-4210-a2ab-c9cac0a80c86 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== **8),}M ]Ɋ&  !X,}M) F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=144dab7f-bfd5-4210-a2ab-c9cac0a80c86 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8),}M ]Ɋ&  !X,}M) F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=144dab7f-bfd5-4210-a2ab-c9cac0a80c86 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**0),}M ]Ɋ&  !X,}M) F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=144dab7f-bfd5-4210-a2ab-c9cac0a80c86 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0),}M ]Ɋ&  !X,}M) F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=144dab7f-bfd5-4210-a2ab-c9cac0a80c86 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=roc0**0),}M ]Ɋ&  !X,}M) F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=144dab7f-bfd5-4210-a2ab-c9cac0a80c86 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$_0**),}M ]Ɋ&  !,}M) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=144dab7f-bfd5-4210-a2ab-c9cac0a80c86 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=762b705e-6416-437f-8f22-4c1ccbf96ec4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ss**)M ]Ɋ&  !M) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=144dab7f-bfd5-4210-a2ab-c9cac0a80c86 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=762b705e-6416-437f-8f22-4c1ccbf96ec4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** )M ]Ɋ&  !XM) F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ce1907e3-0cd4-443e-8928-09ccad0aac1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** )M ]Ɋ&  !XM) F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ce1907e3-0cd4-443e-8928-09ccad0aac1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m ** )M ]Ɋ&  !XM) F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ce1907e3-0cd4-443e-8928-09ccad0aac1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  F&nath= X5ElfChnk))))@6Mu=VysMc&&** )M ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !XM) F&F%g>9{p(xlMD EventDatauoData !BinaryFunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ce1907e3-0cd4-443e-8928-09ccad0aac1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** )M ]Ɋ&  !XM) F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ce1907e3-0cd4-443e-8928-09ccad0aac1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rea ** )M ]Ɋ&  !XM) F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ce1907e3-0cd4-443e-8928-09ccad0aac1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ne ** )M ]Ɋ& e !M) F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ce1907e3-0cd4-443e-8928-09ccad0aac1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=5b907a95-1ca6-46cc-8f6f-3dc07cffb02a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=je **X)M ]Ɋ&  !XM) F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=21cc9fd2-b5ca-4a61-8aee-7eb85b92180c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_.X**p)M ]Ɋ&  !XM) F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=21cc9fd2-b5ca-4a61-8aee-7eb85b92180c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ep**p)M ]Ɋ&  !XM) F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=21cc9fd2-b5ca-4a61-8aee-7eb85b92180c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==Regp**h)M ]Ɋ&  !XM) F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=21cc9fd2-b5ca-4a61-8aee-7eb85b92180c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ediah**h)M ]Ɋ&  !XM) F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=21cc9fd2-b5ca-4a61-8aee-7eb85b92180c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=yConh**h)M ]Ɋ&  !XM) F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=21cc9fd2-b5ca-4a61-8aee-7eb85b92180c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ch h**)M ]Ɋ&  !M) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=21cc9fd2-b5ca-4a61-8aee-7eb85b92180c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c5f9742f-fb8a-4ae8-a19c-f624cf917979 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tAd**)M ]Ɋ& !M) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=21cc9fd2-b5ca-4a61-8aee-7eb85b92180c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=c5f9742f-fb8a-4ae8-a19c-f624cf917979 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u**X)M ]Ɋ&  !XM) F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1e087012-55fc-4e15-a63c-41414ee60cb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-FX**p)M ]Ɋ&  !XM) F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1e087012-55fc-4e15-a63c-41414ee60cb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -p**p)M ]Ɋ&  !XM) F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1e087012-55fc-4e15-a63c-41414ee60cb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d $ap**h)M ]Ɋ&  !XM) F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1e087012-55fc-4e15-a63c-41414ee60cb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ter.h**h)M ]Ɋ&  !XM) F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1e087012-55fc-4e15-a63c-41414ee60cb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t = h**h)M ]Ɋ&  !XM) F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1e087012-55fc-4e15-a63c-41414ee60cb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Verhon=4.0 Hos ]Ɋ& ApM) F&rofile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  F&nath= X5ElfChnk))))ډ7#Mu=VysMc&&**)M ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !M) F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1e087012-55fc-4e15-a63c-41414ee60cb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ab75c0c6-0999-418b-87a2-c6c7268f8738 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**)M ]Ɋ& !M) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1e087012-55fc-4e15-a63c-41414ee60cb8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ab75c0c6-0999-418b-87a2-c6c7268f8738 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=** )M ]Ɋ& q !M) F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ce1907e3-0cd4-443e-8928-09ccad0aac1d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=5b907a95-1ca6-46cc-8f6f-3dc07cffb02a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **)YM ]Ɋ& 7!XYM) F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2f52d918-a8a8-4a89-9264-89c65bd9f9db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.**)YM ]Ɋ& O!XYM) F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2f52d918-a8a8-4a89-9264-89c65bd9f9db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**)YM ]Ɋ& K!XYM) F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2f52d918-a8a8-4a89-9264-89c65bd9f9db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **)YM ]Ɋ& C!XYM) F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2f52d918-a8a8-4a89-9264-89c65bd9f9db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **)YM ]Ɋ& C!XYM) F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2f52d918-a8a8-4a89-9264-89c65bd9f9db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ovi**)YM ]Ɋ& E!XYM) F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2f52d918-a8a8-4a89-9264-89c65bd9f9db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s **@)YM ]Ɋ& !YM) F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2f52d918-a8a8-4a89-9264-89c65bd9f9db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=a6b29d3a-e2fb-4c9e-9936-dd9e17206635 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= @**P)YM ]Ɋ& !YM) F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2f52d918-a8a8-4a89-9264-89c65bd9f9db HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=a6b29d3a-e2fb-4c9e-9936-dd9e17206635 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=GE:$P**H)DaN ]Ɋ& !XDaN) F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5350a00d-90d2-4836-9d2e-499f2adb24d0 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tH**`)DaN ]Ɋ& !XDaN) F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5350a00d-90d2-4836-9d2e-499f2adb24d0 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`)DaN ]Ɋ& !XDaN) F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5350a00d-90d2-4836-9d2e-499f2adb24d0 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PTU`**X)DaN ]Ɋ& !XDaN) F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5350a00d-90d2-4836-9d2e-499f2adb24d0 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=29.X**X)DaN ]Ɋ& !XDaN) F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5350a00d-90d2-4836-9d2e-499f2adb24d0 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-OuX**X)DaN ]Ɋ& !XDaN) F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5350a00d-90d2-4836-9d2e-499f2adb24d0 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e X**)DaN ]Ɋ& !DaN) F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5350a00d-90d2-4836-9d2e-499f2adb24d0 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=d51fcfae-c024-4890-9109-bc175a980b1c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Va**)zN ]Ɋ&  !zN) F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5350a00d-90d2-4836-9d2e-499f2adb24d0 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=d51fcfae-c024-4890-9109-bc175a980b1c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **)]N ]Ɋ& K!X]N) F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a81594f2-c1cb-40f1-8f2f-83048fa9b0c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ESI**)]N ]Ɋ& c!X]N) F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a81594f2-c1cb-40f1-8f2f-83048fa9b0c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **)]N ]Ɋ& _!X]N) F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a81594f2-c1cb-40f1-8f2f-83048fa9b0c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**)]N ]Ɋ& W!X]N) F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a81594f2-c1cb-40f1-8f2f-83048fa9b0c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c**)]N ]Ɋ& W!X]N) F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a81594f2-c1cb-40f1-8f2f-83048fa9b0c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**)]N ]Ɋ& Y!X]N) F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a81594f2-c1cb-40f1-8f2f-83048fa9b0c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=aria**X)]N ]Ɋ& !]N) F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a81594f2-c1cb-40f1-8f2f-83048fa9b0c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=d5b0ed8d-80ed-4095-847e-5222a92ccea9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**`)]N ]Ɋ& !]N) F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a81594f2-c1cb-40f1-8f2f-83048fa9b0c7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=d5b0ed8d-80ed-4095-847e-5222a92ccea9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-N`** )N ]Ɋ& w !XN) F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=56045fa3-c7ec-4626-8298-bb16df102e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c **8)N ]Ɋ&  !XN) F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=56045fa3-c7ec-4626-8298-bb16df102e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=58**8)N ]Ɋ&  !XN) F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=56045fa3-c7ec-4626-8298-bb16df102e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ion8**0)N ]Ɋ&  !XN) F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=56045fa3-c7ec-4626-8298-bb16df102e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=stN0**0)N ]Ɋ&  !XN) F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=56045fa3-c7ec-4626-8298-bb16df102e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ter0= Get-NetAda ]Ɋ& sSXN) F&) foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  F&nath= X5ElfChnk))))i)SyMu=VysMc&&**8)N ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XN) F&F%g>9{p(xlMD EventDatauoData !Binaryb VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=56045fa3-c7ec-4626-8298-bb16df102e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ame8**)N ]Ɋ&  !N) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=56045fa3-c7ec-4626-8298-bb16df102e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=9ba9770b-9856-4bdf-83ca-b3d88fc9bee8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f8**)N ]Ɋ&  !N) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=56045fa3-c7ec-4626-8298-bb16df102e6e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=9ba9770b-9856-4bdf-83ca-b3d88fc9bee8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** )MN ]Ɋ&  !XMN) F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0a3aaf2b-55f5-427e-81e9-b87ddf1eaf40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o ** )MN ]Ɋ&  !XMN) F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0a3aaf2b-55f5-427e-81e9-b87ddf1eaf40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o ** )MN ]Ɋ&  !XMN) F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0a3aaf2b-55f5-427e-81e9-b87ddf1eaf40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$_. ** )MN ]Ɋ&  !XMN) F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0a3aaf2b-55f5-427e-81e9-b87ddf1eaf40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ppe ** )MN ]Ɋ&  !XMN) F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0a3aaf2b-55f5-427e-81e9-b87ddf1eaf40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e= ** )MN ]Ɋ&  !XMN) F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0a3aaf2b-55f5-427e-81e9-b87ddf1eaf40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er ** )MN ]Ɋ& e !MN) F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0a3aaf2b-55f5-427e-81e9-b87ddf1eaf40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=8409b5cb-bc8e-47c9-b301-e67605309e4d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rs ** )MN ]Ɋ& q !MN) F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0a3aaf2b-55f5-427e-81e9-b87ddf1eaf40 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=8409b5cb-bc8e-47c9-b301-e67605309e4d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Eng **)MN ]Ɋ& 7!XMN) F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ff3d9fce-696f-4b6b-9b3e-9c356c716e83 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **)MN ]Ɋ& O!XMN) F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ff3d9fce-696f-4b6b-9b3e-9c356c716e83 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m**)MN ]Ɋ& K!XMN) F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ff3d9fce-696f-4b6b-9b3e-9c356c716e83 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-eq**)MN ]Ɋ& C!XMN) F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ff3d9fce-696f-4b6b-9b3e-9c356c716e83 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dia**)MN ]Ɋ& C!XMN) F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ff3d9fce-696f-4b6b-9b3e-9c356c716e83 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if(**)MN ]Ɋ& E!XMN) F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ff3d9fce-696f-4b6b-9b3e-9c356c716e83 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= T**@)MN ]Ɋ& !MN) F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ff3d9fce-696f-4b6b-9b3e-9c356c716e83 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=98dc187b-6651-4666-bf64-2b4a4ba1246e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 1@**P) N ]Ɋ& ! N) F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ff3d9fce-696f-4b6b-9b3e-9c356c716e83 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=98dc187b-6651-4666-bf64-2b4a4ba1246e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ediaP**H)ZO ]Ɋ& !XZO) F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5ff53e2d-a1d6-4e5a-b12b-b8255e49fc09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oH**`)ZO ]Ɋ& !XZO) F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5ff53e2d-a1d6-4e5a-b12b-b8255e49fc09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d`**`)ZO ]Ɋ& !XZO) F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5ff53e2d-a1d6-4e5a-b12b-b8255e49fc09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fg `**X)ZO ]Ɋ& !XZO) F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5ff53e2d-a1d6-4e5a-b12b-b8255e49fc09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= SX**X)ZO ]Ɋ& !XZO) F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5ff53e2d-a1d6-4e5a-b12b-b8255e49fc09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**X)ZO ]Ɋ& !XZO) F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5ff53e2d-a1d6-4e5a-b12b-b8255e49fc09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=_NX**)ZO ]Ɋ& !ZO) F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5ff53e2d-a1d6-4e5a-b12b-b8255e49fc09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=de8b9dff-beec-428f-9198-28893660f60c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**),O ]Ɋ&  !,O) F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5ff53e2d-a1d6-4e5a-b12b-b8255e49fc09 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=de8b9dff-beec-428f-9198-28893660f60c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nue)**)6O ]Ɋ& K!X6O) F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=93318de9-f6d2-414d-b979-587670abf224 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **)6O ]Ɋ& c!X6O) F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=93318de9-f6d2-414d-b979-587670abf224 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ere**)6O ]Ɋ& _!X6O) F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=93318de9-f6d2-414d-b979-587670abf224 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **)6O ]Ɋ& W!X6O) F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=93318de9-f6d2-414d-b979-587670abf224 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**)6O ]Ɋ& W!X6O) F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=93318de9-f6d2-414d-b979-587670abf224 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**)6O ]Ɋ& Y!X6O) F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=93318de9-f6d2-414d-b979-587670abf224 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= { **X)6O ]Ɋ& !6O) F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=93318de9-f6d2-414d-b979-587670abf224 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=636e8bec-f3b7-4d8e-819a-a765d36d0571 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tTo-Xon -Compress ]Ɋ& ],6O) F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  F&nath= X5ElfChnk)*)*(x;T3sMu=VysMc&&**h )6O ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! E!6O) F&F%g>9{p(xlMD EventDatauoData !BinaryStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=93318de9-f6d2-414d-b979-587670abf224 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=636e8bec-f3b7-4d8e-819a-a765d36d0571 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Conh ** )Q7O ]Ɋ& w !XQ7O) F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=8e55e7e2-259a-427d-b3c3-50108c24d1e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S **8)Q7O ]Ɋ&  !XQ7O) F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=8e55e7e2-259a-427d-b3c3-50108c24d1e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**8)Q7O ]Ɋ&  !XQ7O) F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=8e55e7e2-259a-427d-b3c3-50108c24d1e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Ge8**0)Q7O ]Ɋ&  !XQ7O) F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=8e55e7e2-259a-427d-b3c3-50108c24d1e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0)Q7O ]Ɋ&  !XQ7O) F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=8e55e7e2-259a-427d-b3c3-50108c24d1e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ssF0**0)Q7O ]Ɋ&  !XQ7O) F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=8e55e7e2-259a-427d-b3c3-50108c24d1e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**)Q7O ]Ɋ&  !Q7O) F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=8e55e7e2-259a-427d-b3c3-50108c24d1e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3b5b8767-edd3-4286-b7c4-94c56b7bcca1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ge**)Q7O ]Ɋ&  !Q7O) F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=8e55e7e2-259a-427d-b3c3-50108c24d1e0 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3b5b8767-edd3-4286-b7c4-94c56b7bcca1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=":""** )8O ]Ɋ&  !X8O) F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=053e5b0c-5434-4c27-b193-3912fd3a9808 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=x ** )8O ]Ɋ&  !X8O) F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=053e5b0c-5434-4c27-b193-3912fd3a9808 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** )8O ]Ɋ&  !X8O) F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=053e5b0c-5434-4c27-b193-3912fd3a9808 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rfa ** )8O ]Ɋ&  !X8O) F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=053e5b0c-5434-4c27-b193-3912fd3a9808 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-4b ** )8O ]Ɋ&  !X8O) F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=053e5b0c-5434-4c27-b193-3912fd3a9808 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=b4a ** )8O ]Ɋ&  !X8O) F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=053e5b0c-5434-4c27-b193-3912fd3a9808 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** )8O ]Ɋ& e !8O) F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=053e5b0c-5434-4c27-b193-3912fd3a9808 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=37dbdf99-b9ed-419e-a6c1-662ec4de3db3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ho ** )8O ]Ɋ& q !8O) F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=053e5b0c-5434-4c27-b193-3912fd3a9808 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=37dbdf99-b9ed-419e-a6c1-662ec4de3db3 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=:\Pr **)8O ]Ɋ& 7!X8O) F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=17e29918-f3b5-469c-831a-87d83c8bf89a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=T**)8O ]Ɋ& O!X8O) F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=17e29918-f3b5-469c-831a-87d83c8bf89a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d***8O ]Ɋ& K!X8O* F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=17e29918-f3b5-469c-831a-87d83c8bf89a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Nam***8O ]Ɋ& C!X8O* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=17e29918-f3b5-469c-831a-87d83c8bf89a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eId***8O ]Ɋ& C!X8O* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=17e29918-f3b5-469c-831a-87d83c8bf89a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Pi***8O ]Ɋ& E!X8O* F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=17e29918-f3b5-469c-831a-87d83c8bf89a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ce**@*8O ]Ɋ& !8O* F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=17e29918-f3b5-469c-831a-87d83c8bf89a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=27885bfc-2ded-41cf-9fac-fd92893312dc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me@**P*~8O ]Ɋ& !~8O* F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=17e29918-f3b5-469c-831a-87d83c8bf89a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=27885bfc-2ded-41cf-9fac-fd92893312dc PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mandPme= Comman ]Ɋ& neX+O* F& ],6O) F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  F&nath= X5ElfChnk****%W 3Mu=VysMc&&**P*+O ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! /!X+O* F&F%g>9{p(xlMD EventDatauoData !Binary|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=4cff9ab9-8b14-454b-ad66-93b60ad4b4b2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $P**`*+O ]Ɋ& !X+O* F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=4cff9ab9-8b14-454b-ad66-93b60ad4b4b2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r`**`*+O ]Ɋ& !X+O* F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=4cff9ab9-8b14-454b-ad66-93b60ad4b4b2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i`**X *+O ]Ɋ& !X+O * F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=4cff9ab9-8b14-454b-ad66-93b60ad4b4b2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**X *+O ]Ɋ& !X+O * F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=4cff9ab9-8b14-454b-ad66-93b60ad4b4b2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ideX**X *+O ]Ɋ& !X+O * F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=4cff9ab9-8b14-454b-ad66-93b60ad4b4b2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X** *+O ]Ɋ& !+O * F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=4cff9ab9-8b14-454b-ad66-93b60ad4b4b2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=65d9ddfa-b6cb-428b-954b-743707324cad PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gu**X *XO ]Ɋ&  !XXO * F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=355fb16a-81b5-4125-8b37-12e63aad64d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=bjX**p*XO ]Ɋ&  !XXO* F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=355fb16a-81b5-4125-8b37-12e63aad64d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=aup**p*XO ]Ɋ&  !XXO* F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=355fb16a-81b5-4125-8b37-12e63aad64d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ss }p**h*XO ]Ɋ&  !XXO* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=355fb16a-81b5-4125-8b37-12e63aad64d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 1 h**h*XO ]Ɋ&  !XXO* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=355fb16a-81b5-4125-8b37-12e63aad64d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== Geh**h*XO ]Ɋ&  !XXO* F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=355fb16a-81b5-4125-8b37-12e63aad64d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lseh***XO ]Ɋ&  !XO* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=355fb16a-81b5-4125-8b37-12e63aad64d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6a66c3b9-5f87-483c-ad49-da181ce6eb6d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Con***GO ]Ɋ& !GO* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=355fb16a-81b5-4125-8b37-12e63aad64d7 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=6a66c3b9-5f87-483c-ad49-da181ce6eb6d PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t**X**O ]Ɋ&  !X*O* F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=dd1d86ee-c2c8-4b40-a352-e2780c1956ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=umX**p**O ]Ɋ&  !X*O* F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=dd1d86ee-c2c8-4b40-a352-e2780c1956ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erp**p**O ]Ɋ&  !X*O* F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=dd1d86ee-c2c8-4b40-a352-e2780c1956ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=&p**h**O ]Ɋ&  !X*O* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=dd1d86ee-c2c8-4b40-a352-e2780c1956ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eVerh**h**O ]Ɋ&  !X*O* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=dd1d86ee-c2c8-4b40-a352-e2780c1956ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onsoh**h**O ]Ɋ&  !X*O* F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=dd1d86ee-c2c8-4b40-a352-e2780c1956ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erfh****O ]Ɋ&  !*O* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=dd1d86ee-c2c8-4b40-a352-e2780c1956ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=53cb4fa7-b846-4a3e-a9ac-9a24d427ad8b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ]Ɋ& 8O* F&6O) F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  F&nath= X5ElfChnk*,**,*aCŗ2xMu=VysMc&&***8O ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !8O* F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=dd1d86ee-c2c8-4b40-a352-e2780c1956ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=53cb4fa7-b846-4a3e-a9ac-9a24d427ad8b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=er** *8O ]Ɋ& w !X8O* F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0d09770c-5e35-4133-8e42-968f844b3bf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s **8*8O ]Ɋ&  !X8O* F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0d09770c-5e35-4133-8e42-968f844b3bf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**8*8O ]Ɋ&  !X8O* F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0d09770c-5e35-4133-8e42-968f844b3bf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pty8**0 *8O ]Ɋ&  !X8O * F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0d09770c-5e35-4133-8e42-968f844b3bf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= #0**0!*8O ]Ɋ&  !X8O!* F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0d09770c-5e35-4133-8e42-968f844b3bf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0"*8O ]Ɋ&  !X8O"* F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0d09770c-5e35-4133-8e42-968f844b3bf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**#*8O ]Ɋ&  !8O#* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0d09770c-5e35-4133-8e42-968f844b3bf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c5f571d3-d8c2-412a-a094-98f39a2ef7b8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **$*WO ]Ɋ&  !WO$* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=0d09770c-5e35-4133-8e42-968f844b3bf5 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c5f571d3-d8c2-412a-a094-98f39a2ef7b8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }**%*WO ]Ɋ&  !XWO%* F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=637705be-f5c1-4b02-a889-cbe3f63931ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **&*WO ]Ɋ&  !XWO&* F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=637705be-f5c1-4b02-a889-cbe3f63931ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **'*WO ]Ɋ& !XWO'* F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=637705be-f5c1-4b02-a889-cbe3f63931ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **(*WO ]Ɋ&  !XWO(* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=637705be-f5c1-4b02-a889-cbe3f63931ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mp**)*WO ]Ɋ&  !XWO)* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=637705be-f5c1-4b02-a889-cbe3f63931ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} ****WO ]Ɋ&  !XWO** F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=637705be-f5c1-4b02-a889-cbe3f63931ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=k**+*WO ]Ɋ& O!WO+* F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=637705be-f5c1-4b02-a889-cbe3f63931ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=0d161fa5-ac43-44ab-8110-a1b5f96c7e46 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=M**,*iO ]Ɋ& [!iO,* F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=637705be-f5c1-4b02-a889-cbe3f63931ed HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=0d161fa5-ac43-44ab-8110-a1b5f96c7e46 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=9aca24d427ad8b  ]Ɋ& crdO-* F&mandLine= ]Ɋ& 8O* F&6O) F&ineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  F&nath= X5ElfChnk-*A*-*A*ʇV!Mu=VysMc&&**-*dO ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !dO-* F&F%g>9{p(xlMD EventDatauoData !BinaryStoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=4cff9ab9-8b14-454b-ad66-93b60ad4b4b2 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=65d9ddfa-b6cb-428b-954b-743707324cad PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$**8 .*eO ]Ɋ&  !XeO.* F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0cdf51be-0678-42aa-b870-1ec9ff62772a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$n8 **P /*eO ]Ɋ&  !XeO/* F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0cdf51be-0678-42aa-b870-1ec9ff62772a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==pP **P 0*eO ]Ɋ&  !XeO0* F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0cdf51be-0678-42aa-b870-1ec9ff62772a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eNumP **H 1*eO ]Ɋ&  !XeO1* F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0cdf51be-0678-42aa-b870-1ec9ff62772a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= !H **H 2*eO ]Ɋ&  !XeO2* F&v RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0cdf51be-0678-42aa-b870-1ec9ff62772a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=TypeH **H 3*eO ]Ɋ&  !XeO3* F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0cdf51be-0678-42aa-b870-1ec9ff62772a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=tchH ** 4*eO ]Ɋ&  !eO4* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0cdf51be-0678-42aa-b870-1ec9ff62772a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=74034acf-0b87-472e-89ea-7cc4e578509f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Se ** 5*O ]Ɋ&  !O5* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0cdf51be-0678-42aa-b870-1ec9ff62772a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=74034acf-0b87-472e-89ea-7cc4e578509f PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e ** 6*O ]Ɋ& w !XO6* F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=40209323-8183-4ee5-a99b-3989ca5e6ce6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=O **87*O ]Ɋ&  !XO7* F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=40209323-8183-4ee5-a99b-3989ca5e6ce6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t8**88*O ]Ɋ&  !XO8* F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=40209323-8183-4ee5-a99b-3989ca5e6ce6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Tri8**09*O ]Ɋ&  !XO9* F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=40209323-8183-4ee5-a99b-3989ca5e6ce6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i0**0:*O ]Ɋ&  !XO:* F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=40209323-8183-4ee5-a99b-3989ca5e6ce6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ger0**0;*O ]Ɋ&  !XO;* F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=40209323-8183-4ee5-a99b-3989ca5e6ce6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) 0**<*O ]Ɋ&  !O<* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=40209323-8183-4ee5-a99b-3989ca5e6ce6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f1ff284f-e06c-4737-8169-1e5a97fed8d1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i**=*)O ]Ɋ&  !)O=* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=40209323-8183-4ee5-a99b-3989ca5e6ce6 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=f1ff284f-e06c-4737-8169-1e5a97fed8d1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **>*)O ]Ɋ& K!X)O>* F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=th=**?*)O ]Ɋ& c!X)O?* F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sto**@*)O ]Ɋ& _!X)O@* F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**A*)O ]Ɋ& W!X)OA* F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnkB*V*B*V*P 3ɡMu=VysMc&&** B*)O ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X)OB* F&F%g>9{p(xlMD EventDatauoData !Binary4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ue **C*)O ]Ɋ& Y!X)OC* F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$fal**XD*)O ]Ɋ& !)OD* F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=f6896806-cd08-4550-9ba9-0718d68ec705 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**`E*)O ]Ɋ& !)OE* F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=f6896806-cd08-4550-9ba9-0718d68ec705 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Fi`** F*)O ]Ɋ& w !X)OF* F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9ad3bb69-0c8f-4679-bd82-31eb706b216b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n **8G*)O ]Ɋ&  !X)OG* F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9ad3bb69-0c8f-4679-bd82-31eb706b216b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u8**8H*)O ]Ɋ&  !X)OH* F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9ad3bb69-0c8f-4679-bd82-31eb706b216b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= } 8**0I*)O ]Ɋ&  !X)OI* F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9ad3bb69-0c8f-4679-bd82-31eb706b216b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= i0**0J*)O ]Ɋ&  !X)OJ* F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9ad3bb69-0c8f-4679-bd82-31eb706b216b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=y {0**0K*)O ]Ɋ&  !X)OK* F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9ad3bb69-0c8f-4679-bd82-31eb706b216b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $0**L*)O ]Ɋ&  !)OL* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9ad3bb69-0c8f-4679-bd82-31eb706b216b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c918286b-326e-4b26-8e49-13114e3d242e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }**M*(O ]Ɋ&  !(OM* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=9ad3bb69-0c8f-4679-bd82-31eb706b216b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=c918286b-326e-4b26-8e49-13114e3d242e PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $ma** N*(O ]Ɋ&  !X(ON* F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2a53b266-55f1-4d31-9c45-405f79ad67b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t ** O*(O ]Ɋ&  !X(OO* F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2a53b266-55f1-4d31-9c45-405f79ad67b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=| ** P*(O ]Ɋ&  !X(OP* F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2a53b266-55f1-4d31-9c45-405f79ad67b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== ** Q*(O ]Ɋ&  !X(OQ* F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2a53b266-55f1-4d31-9c45-405f79ad67b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nti ** R*(O ]Ɋ&  !X(OR* F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2a53b266-55f1-4d31-9c45-405f79ad67b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ont ** S*(O ]Ɋ&  !X(OS* F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2a53b266-55f1-4d31-9c45-405f79ad67b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** T*(O ]Ɋ& e !(OT* F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2a53b266-55f1-4d31-9c45-405f79ad67b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=ca6459ef-1b42-4b16-a9c4-1e07cddfbbcb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dd **XU*(O ]Ɋ&  !X(OU* F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b61ca8fa-a6cd-4af5-a1b9-b19c249a2694 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=auX**pV*(O ]Ɋ&  !X(OV* F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b61ca8fa-a6cd-4af5-a1b9-b19c249a2694 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -p 11) {"ramdi ]Ɋ& CoX(OW* F&nspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sto**@*)O ]Ɋ& _!X)O@* F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**A*)O ]Ɋ& W!X)OA* F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnkW*k*W*k*HIgdcMu=VysMc&&**pW*(O ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! Q!X(OW* F&F%g>9{p(xlMD EventDatauoData !Binary FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b61ca8fa-a6cd-4af5-a1b9-b19c249a2694 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lp**hX*(O ]Ɋ&  !X(OX* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b61ca8fa-a6cd-4af5-a1b9-b19c249a2694 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=onPrh**hY*(O ]Ɋ&  !X(OY* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b61ca8fa-a6cd-4af5-a1b9-b19c249a2694 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ort-h**hZ*(O ]Ɋ&  !X(OZ* F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b61ca8fa-a6cd-4af5-a1b9-b19c249a2694 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rfah** [*ZO ]Ɋ& q !ZO[* F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2a53b266-55f1-4d31-9c45-405f79ad67b4 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=ca6459ef-1b42-4b16-a9c4-1e07cddfbbcb PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **\*ZO ]Ɋ&  !ZO\* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b61ca8fa-a6cd-4af5-a1b9-b19c249a2694 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=58206c3c-c939-4137-abc8-f04e95dea789 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=der**]*ZO ]Ɋ& !ZO]* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=b61ca8fa-a6cd-4af5-a1b9-b19c249a2694 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=58206c3c-c939-4137-abc8-f04e95dea789 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=N**^*ZO ]Ɋ& 7!XZO^* F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fffc5f94-5fd2-44e1-ae63-d720c398f3a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **_*ZO ]Ɋ& O!XZO_* F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fffc5f94-5fd2-44e1-ae63-d720c398f3a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=R**`*ZO ]Ɋ& K!XZO`* F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fffc5f94-5fd2-44e1-ae63-d720c398f3a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Con**a*ZO ]Ɋ& C!XZOa* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fffc5f94-5fd2-44e1-ae63-d720c398f3a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= el**b*ZO ]Ɋ& C!XZOb* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fffc5f94-5fd2-44e1-ae63-d720c398f3a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ofi**c*ZO ]Ɋ& E!XZOc* F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fffc5f94-5fd2-44e1-ae63-d720c398f3a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **Xd*ZO ]Ɋ&  !XZOd* F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=6ec3b9d1-5681-4dac-b805-b660c8688529 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= {X**pe*ZO ]Ɋ&  !XZOe* F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=6ec3b9d1-5681-4dac-b805-b660c8688529 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= |p**pf*ZO ]Ɋ&  !XZOf* F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=6ec3b9d1-5681-4dac-b805-b660c8688529 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= }p**hg*ZO ]Ɋ&  !XZOg* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=6ec3b9d1-5681-4dac-b805-b660c8688529 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= Byph**hh*ZO ]Ɋ&  !XZOh* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=6ec3b9d1-5681-4dac-b805-b660c8688529 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n = h**hi*ZO ]Ɋ&  !XZOi* F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=6ec3b9d1-5681-4dac-b805-b660c8688529 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h {h**@j*ZO ]Ɋ& !ZOj* F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fffc5f94-5fd2-44e1-ae63-d720c398f3a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=453b8606-6e6a-48b8-9ed7-0aea5ad9ed15 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=) @**k*ZO ]Ɋ&  !ZOk* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=6ec3b9d1-5681-4dac-b805-b660c8688529 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ea30eebe-3070-4bf1-b6bf-cb58506d1270 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xe oProfile -No ]Ɋ& GeZOl* F&calDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**A*)O ]Ɋ& W!X)OA* F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnkl**l**H  Mu=VysMc&&**l*ZO ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !ZOl* F&F%g>9{p(xlMD EventDatauoData !Binary StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=6ec3b9d1-5681-4dac-b805-b660c8688529 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=ea30eebe-3070-4bf1-b6bf-cb58506d1270 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**Pm*ZO ]Ɋ& !ZOm* F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=fffc5f94-5fd2-44e1-ae63-d720c398f3a8 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=453b8606-6e6a-48b8-9ed7-0aea5ad9ed15 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=g.SiP**Hn*^yP ]Ɋ& !X^yPn* F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=fb2e3d25-83b8-4117-b510-f0c4cd3317aa HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= H**`o*^yP ]Ɋ& !X^yPo* F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=fb2e3d25-83b8-4117-b510-f0c4cd3317aa HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`p*^yP ]Ɋ& !X^yPp* F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=fb2e3d25-83b8-4117-b510-f0c4cd3317aa HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$si`**Xq*^yP ]Ɋ& !X^yPq* F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=fb2e3d25-83b8-4117-b510-f0c4cd3317aa HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**Xr*^yP ]Ɋ& !X^yPr* F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=fb2e3d25-83b8-4117-b510-f0c4cd3317aa HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndTX**Xs*^yP ]Ɋ& !X^yPs* F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fb2e3d25-83b8-4117-b510-f0c4cd3317aa HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=E_X**t*^yP ]Ɋ& !^yPt* F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=fb2e3d25-83b8-4117-b510-f0c4cd3317aa HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=eb5cb1b3-2e8b-4556-b34d-6aa9b62e31dd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Wh**u*YaP ]Ɋ& K!XYaPu* F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=564531d4-c2a9-4934-bb23-f798e771b26c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**v*YaP ]Ɋ& c!XYaPv* F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=564531d4-c2a9-4934-bb23-f798e771b26c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fo **w*YaP ]Ɋ& _!XYaPw* F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=564531d4-c2a9-4934-bb23-f798e771b26c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=c**x*YaP ]Ɋ& W!XYaPx* F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=564531d4-c2a9-4934-bb23-f798e771b26c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n**y*YaP ]Ɋ& W!XYaPy* F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=564531d4-c2a9-4934-bb23-f798e771b26c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **z*YaP ]Ɋ& Y!XYaPz* F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=564531d4-c2a9-4934-bb23-f798e771b26c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=atus**X{*YaP ]Ɋ& !YaP{* F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=564531d4-c2a9-4934-bb23-f798e771b26c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=c514497f-ca52-4f38-a324-0a27a69bd797 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**`|*YaP ]Ɋ& !YaP|* F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=564531d4-c2a9-4934-bb23-f798e771b26c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=c514497f-ca52-4f38-a324-0a27a69bd797 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e'`** }*YaP ]Ɋ& w !XYaP}* F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b0ce99c3-24b3-4719-8210-14ba958af9ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a **8~*YaP ]Ɋ&  !XYaP~* F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b0ce99c3-24b3-4719-8210-14ba958af9ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e8**8*YaP ]Ɋ&  !XYaP* F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b0ce99c3-24b3-4719-8210-14ba958af9ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ens8**0*YaP ]Ɋ&  !XYaP* F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b0ce99c3-24b3-4719-8210-14ba958af9ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ifi0**0*YaP ]Ɋ&  !XYaP* F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b0ce99c3-24b3-4719-8210-14ba958af9ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Sec0**0*YaP ]Ɋ&  !XYaP* F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b0ce99c3-24b3-4719-8210-14ba958af9ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0***YaP ]Ɋ&  !YaP* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b0ce99c3-24b3-4719-8210-14ba958af9ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=744071dd-3817-4453-bb17-94347502d5f9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=yp***P ]Ɋ&  !P* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=b0ce99c3-24b3-4719-8210-14ba958af9ff HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=744071dd-3817-4453-bb17-94347502d5f9 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=curi** *P ]Ɋ&  !XP* F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=41229158-a6c4-4cc8-88f3-d609dc7979da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p ** *P ]Ɋ&  !XP* F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=41229158-a6c4-4cc8-88f3-d609dc7979da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d ** *P ]Ɋ&  !XP* F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=41229158-a6c4-4cc8-88f3-d609dc7979da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=  ]Ɋ&  XP* F&ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk****(Xj(r/Mu=VysMc&&** *P ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID !  !XP* F&F%g>9{p(xlMD EventDatauoData !BinaryFunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=41229158-a6c4-4cc8-88f3-d609dc7979da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** *P ]Ɋ&  !XP* F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=41229158-a6c4-4cc8-88f3-d609dc7979da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=to ** *P ]Ɋ&  !XP* F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=41229158-a6c4-4cc8-88f3-d609dc7979da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e= ** *P ]Ɋ& e !P* F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=41229158-a6c4-4cc8-88f3-d609dc7979da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=657b52bf-dbd6-48eb-b3df-1accfbdcbbd0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S ** *P ]Ɋ& q !P* F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=41229158-a6c4-4cc8-88f3-d609dc7979da HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=657b52bf-dbd6-48eb-b3df-1accfbdcbbd0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=cati ***P ]Ɋ& 7!XP* F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d1612f98-63cc-4c07-9c5e-40dc7ca90d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=D***P ]Ɋ& O!XP* F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d1612f98-63cc-4c07-9c5e-40dc7ca90d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=q***P ]Ɋ& K!XP* F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d1612f98-63cc-4c07-9c5e-40dc7ca90d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Med***P ]Ɋ& C!XP* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d1612f98-63cc-4c07-9c5e-40dc7ca90d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t {***P ]Ɋ& C!XP* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d1612f98-63cc-4c07-9c5e-40dc7ca90d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=re-***P ]Ɋ& E!XP* F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d1612f98-63cc-4c07-9c5e-40dc7ca90d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sk**@*P ]Ɋ& !P* F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d1612f98-63cc-4c07-9c5e-40dc7ca90d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=0f36b496-4b7e-491a-a2a1-d154a57a03da PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ia@**P*P ]Ɋ& !P* F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=d1612f98-63cc-4c07-9c5e-40dc7ca90d4d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=0f36b496-4b7e-491a-a2a1-d154a57a03da PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ct {P***J\P ]Ɋ&  !J\P* F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=fb2e3d25-83b8-4117-b510-f0c4cd3317aa HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=eb5cb1b3-2e8b-4556-b34d-6aa9b62e31dd PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=on=4**H*,Q ]Ɋ& !X,Q* F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a90b4fb6-63a9-4535-8a23-878c1dff9376 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=uH**`*,Q ]Ɋ& !X,Q* F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a90b4fb6-63a9-4535-8a23-878c1dff9376 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a`**`*,Q ]Ɋ& !X,Q* F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a90b4fb6-63a9-4535-8a23-878c1dff9376 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=~*`**X*,Q ]Ɋ& !X,Q* F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a90b4fb6-63a9-4535-8a23-878c1dff9376 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dapX**X*,Q ]Ɋ& !X,Q* F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a90b4fb6-63a9-4535-8a23-878c1dff9376 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd X**X*,Q ]Ɋ& !X,Q* F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a90b4fb6-63a9-4535-8a23-878c1dff9376 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mmX***,Q ]Ɋ& !,Q* F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a90b4fb6-63a9-4535-8a23-878c1dff9376 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a27edfb3-93a5-48c7-9614-36149cd7bb69 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=na***./Q ]Ɋ&  !./Q* F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=a90b4fb6-63a9-4535-8a23-878c1dff9376 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=a27edfb3-93a5-48c7-9614-36149cd7bb69 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ore ***1KQ ]Ɋ& K!X1KQ* F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=bd374e81-e50f-4d4d-92e0-1782b2e03b4b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Y***1KQ ]Ɋ& c!X1KQ* F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=bd374e81-e50f-4d4d-92e0-1782b2e03b4b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1 ***1KQ ]Ɋ& _!X1KQ* F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=bd374e81-e50f-4d4d-92e0-1782b2e03b4b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine==***1KQ ]Ɋ& W!X1KQ* F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=bd374e81-e50f-4d4d-92e0-1782b2e03b4b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t***1KQ ]Ɋ& W!X1KQ* F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=bd374e81-e50f-4d4d-92e0-1782b2e03b4b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-***1KQ ]Ɋ& Y!X1KQ* F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=bd374e81-e50f-4d4d-92e0-1782b2e03b4b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n=po**X*1KQ ]Ɋ& !1KQ* F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=bd374e81-e50f-4d4d-92e0-1782b2e03b4b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=4603921e-a43a-4c0d-b9a1-25ecd752b065 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=} caX**`*1KQ ]Ɋ& !1KQ* F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=bd374e81-e50f-4d4d-92e0-1782b2e03b4b HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=4603921e-a43a-4c0d-b9a1-25ecd752b065 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e`** *1KQ ]Ɋ& w !X1KQ* F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=d93c45ca-ae4f-4787-8133-7e80d32f33ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **8*1KQ ]Ɋ&  !X1KQ* F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=d93c45ca-ae4f-4787-8133-7e80d32f33ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**8*1KQ ]Ɋ&  !X1KQ* F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=d93c45ca-ae4f-4787-8133-7e80d32f33ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pte8**0*1KQ ]Ɋ&  !X1KQ* F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=d93c45ca-ae4f-4787-8133-7e80d32f33ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0pelineId=  ]Ɋ& maX1KQ* F&  ]Ɋ&  XP* F&ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk****`t8:Mu=VysMc&&**0*1KQ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !X1KQ* F&F%g>9{p(xlMD EventDatauoData !Binary` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=d93c45ca-ae4f-4787-8133-7e80d32f33ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0*1KQ ]Ɋ&  !X1KQ* F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=d93c45ca-ae4f-4787-8133-7e80d32f33ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rs0***1KQ ]Ɋ&  !1KQ* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=d93c45ca-ae4f-4787-8133-7e80d32f33ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=7d953bd7-6950-4fa8-9234-7add8c4f761a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$d***NKQ ]Ɋ&  !NKQ* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=d93c45ca-ae4f-4787-8133-7e80d32f33ad HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=7d953bd7-6950-4fa8-9234-7add8c4f761a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=40dc** *NKQ ]Ɋ&  !XNKQ* F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=932f0c26-a963-4631-9eff-8e6ae37ac12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=m ** *NKQ ]Ɋ&  !XNKQ* F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=932f0c26-a963-4631-9eff-8e6ae37ac12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** *NKQ ]Ɋ&  !XNKQ* F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=932f0c26-a963-4631-9eff-8e6ae37ac12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ole ** *NKQ ]Ɋ&  !XNKQ* F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=932f0c26-a963-4631-9eff-8e6ae37ac12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rsi ** *NKQ ]Ɋ&  !XNKQ* F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=932f0c26-a963-4631-9eff-8e6ae37ac12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=mma ** *NKQ ]Ɋ&  !XNKQ* F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=932f0c26-a963-4631-9eff-8e6ae37ac12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** *NKQ ]Ɋ& e !NKQ* F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=932f0c26-a963-4631-9eff-8e6ae37ac12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=0b324187-a609-49cd-aa3f-6f4af0b7c466 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=6- ** *bLQ ]Ɋ& q !bLQ* F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=932f0c26-a963-4631-9eff-8e6ae37ac12e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=0b324187-a609-49cd-aa3f-6f4af0b7c466 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=File ***bLQ ]Ɋ& 7!XbLQ* F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=2ee6b945-e206-4384-8a84-363174b9905a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=z***bLQ ]Ɋ& O!XbLQ* F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=2ee6b945-e206-4384-8a84-363174b9905a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=S***bLQ ]Ɋ& K!XbLQ* F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=2ee6b945-e206-4384-8a84-363174b9905a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=.De***bLQ ]Ɋ& C!XbLQ* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=2ee6b945-e206-4384-8a84-363174b9905a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ath***bLQ ]Ɋ& C!XbLQ* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=2ee6b945-e206-4384-8a84-363174b9905a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t]@***bLQ ]Ɋ& E!XbLQ* F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=2ee6b945-e206-4384-8a84-363174b9905a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=to**@*bLQ ]Ɋ& !bLQ* F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=2ee6b945-e206-4384-8a84-363174b9905a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=e5a0c2b2-dc62-4524-ae06-8ffa35b1dbb4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=vi@**P*bLQ ]Ɋ& !bLQ* F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=2ee6b945-e206-4384-8a84-363174b9905a HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=e5a0c2b2-dc62-4524-ae06-8ffa35b1dbb4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=PathP**H*Q ]Ɋ& !XQ* F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=984eca13-6fd0-4be9-9ca5-c812a3860fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-H**`*Q ]Ɋ& !XQ* F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=984eca13-6fd0-4be9-9ca5-c812a3860fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**`*Q ]Ɋ& !XQ* F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=984eca13-6fd0-4be9-9ca5-c812a3860fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ess`**X*Q ]Ɋ& !XQ* F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=984eca13-6fd0-4be9-9ca5-c812a3860fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=oviX**X*Q ]Ɋ& !XQ* F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=984eca13-6fd0-4be9-9ca5-c812a3860fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= X**X*Q ]Ɋ& !XQ* F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=984eca13-6fd0-4be9-9ca5-c812a3860fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nuX***Q ]Ɋ& !Q* F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=984eca13-6fd0-4be9-9ca5-c812a3860fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=89e6ea06-9bc6-4811-8b09-e2414b2b1713 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=1K**X*r Q ]Ɋ&  !Xr Q* F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=9074dc56-198f-47e8-bcb2-494886bc532e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X**p*r Q ]Ɋ&  !Xr Q* F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=9074dc56-198f-47e8-bcb2-494886bc532e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=paX1KQ ]Ɋ& Xr Q* F& XP* F&ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ccc1145f-5261-4599-b649-c9dd5553c05c HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk****`g=Mu=VysMc&&**p*r Q ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! Q!Xr Q* F&F%g>9{p(xlMD EventDatauoData !Binary FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=9074dc56-198f-47e8-bcb2-494886bc532e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**h*r Q ]Ɋ&  !Xr Q* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=9074dc56-198f-47e8-bcb2-494886bc532e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h*r Q ]Ɋ&  !Xr Q* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=9074dc56-198f-47e8-bcb2-494886bc532e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h**h*r Q ]Ɋ&  !Xr Q* F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=9074dc56-198f-47e8-bcb2-494886bc532e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h***r Q ]Ɋ&  !r Q* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=9074dc56-198f-47e8-bcb2-494886bc532e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=894e7bad-2ba0-432d-8cb9-ca61d7afaded PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine={ ***r Q ]Ɋ& !r Q* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=9074dc56-198f-47e8-bcb2-494886bc532e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=894e7bad-2ba0-432d-8cb9-ca61d7afaded PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**X*کQ ]Ɋ&  !XکQ* F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=1a245924-b23d-4127-b64e-120cbd022196 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fiX**p*کQ ]Ɋ&  !XکQ* F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=1a245924-b23d-4127-b64e-120cbd022196 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=p**p*کQ ]Ɋ&  !XکQ* F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=1a245924-b23d-4127-b64e-120cbd022196 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=DnsCp**h*کQ ]Ɋ&  !XکQ* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=1a245924-b23d-4127-b64e-120cbd022196 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ionPh**h*کQ ]Ɋ&  !XکQ* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=1a245924-b23d-4127-b64e-120cbd022196 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine== h**h*کQ ]Ɋ&  !XکQ* F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=1a245924-b23d-4127-b64e-120cbd022196 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0 h***کQ ]Ɋ&  !کQ* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=1a245924-b23d-4127-b64e-120cbd022196 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=06bd5077-24b9-476f-9d48-282ac60ff75b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ipt***کQ ]Ɋ& !کQ* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=1a245924-b23d-4127-b64e-120cbd022196 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=06bd5077-24b9-476f-9d48-282ac60ff75b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=q** *کQ ]Ɋ& w !XکQ* F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5dbfcb59-a347-43ed-87a9-1abb3dc72bcd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=H **8*کQ ]Ɋ&  !XکQ* F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5dbfcb59-a347-43ed-87a9-1abb3dc72bcd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=88**8*کQ ]Ɋ&  !XکQ* F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5dbfcb59-a347-43ed-87a9-1abb3dc72bcd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Ver8on=4.0 Hos ]Ɋ& ApXکQ* F&rofile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk****0xH^Mu=VysMc&&**0*کQ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XکQ* F&F%g>9{p(xlMD EventDatauoData !Binary` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5dbfcb59-a347-43ed-87a9-1abb3dc72bcd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=0**0*کQ ]Ɋ&  !XکQ* F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5dbfcb59-a347-43ed-87a9-1abb3dc72bcd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=omm0**0*کQ ]Ɋ&  !XکQ* F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5dbfcb59-a347-43ed-87a9-1abb3dc72bcd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=el0***کQ ]Ɋ&  !کQ* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5dbfcb59-a347-43ed-87a9-1abb3dc72bcd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=7d8ff9c5-8e61-4879-99b0-4182d703b608 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Co***qBQ ]Ɋ&  !qBQ* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=5dbfcb59-a347-43ed-87a9-1abb3dc72bcd HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=7d8ff9c5-8e61-4879-99b0-4182d703b608 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fade***qBQ ]Ɋ&  !XqBQ* F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=56e81a0d-4a0a-4a41-89bc-3e969ff50749 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=-432***qBQ ]Ɋ&  !XqBQ* F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=56e81a0d-4a0a-4a41-89bc-3e969ff50749 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me= ***qBQ ]Ɋ& !XqBQ* F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=56e81a0d-4a0a-4a41-89bc-3e969ff50749 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= C***qBQ ]Ɋ&  !XqBQ* F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=56e81a0d-4a0a-4a41-89bc-3e969ff50749 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=***qBQ ]Ɋ&  !XqBQ* F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=56e81a0d-4a0a-4a41-89bc-3e969ff50749 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=***qBQ ]Ɋ&  !XqBQ* F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=56e81a0d-4a0a-4a41-89bc-3e969ff50749 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=***qBQ ]Ɋ& O!qBQ* F&,AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=56e81a0d-4a0a-4a41-89bc-3e969ff50749 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=8525ef85-202d-4764-9c67-8253c8658ec0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a***Q ]Ɋ& [!Q* F&8StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=56e81a0d-4a0a-4a41-89bc-3e969ff50749 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $taskName = 'Neptune-Agent-HealthCheck' try { $settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 15) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 1) Set-ScheduledTask -TaskName $taskName -Settings $settings -ErrorAction Stop | Out-Null } catch { # Fallback for older Windows versions - settings will use defaults Write-Output "WARNING: Could not configure task settings: $_" } # Add a boot trigger so health check runs shortly after system startup try { $task = Get-ScheduledTask -TaskName $taskName -ErrorAction Stop $existingTriggers = $task.Triggers $hasBootTrigger = $false foreach ($t in $existingTriggers) { if ($t.CimClass.CimClassName -eq 'MSFT_TaskBootTrigger') { $hasBootTrigger = $true break } } if (-not $hasBootTrigger) { $bootTrigger = New-ScheduledTaskTrigger -AtStartup # Delay 2 minutes after boot to let the system settle $bootTrigger.Delay = 'PT2M' $allTriggers = @($existingTriggers) + @($bootTrigger) Set-ScheduledTask -TaskName $taskName -Trigger $allTriggers -ErrorAction Stop | Out-Null } } catch { # Non-fatal - the repetition trigger still provides coverage Write-Output "WARNING: Could not add boot trigger: $_" } EngineVersion=4.0 RunspaceId=8525ef85-202d-4764-9c67-8253c8658ec0 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=le ***sQ ]Ɋ&  !sQ* F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=984eca13-6fd0-4be9-9ca5-c812a3860fc8 HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=89e6ea06-9bc6-4811-8b09-e2414b2b1713 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=JECT**8 *Q ]Ɋ&  !XQ* F&j AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=e1f892c8-a586-403b-a2c3-7818518fc833 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8 **P *Q ]Ɋ&  !XQ* F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=e1f892c8-a586-403b-a2c3-7818518fc833 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=enP **P *Q ]Ɋ&  !XQ* F&~ FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=e1f892c8-a586-403b-a2c3-7818518fc833 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=BypaP **H *Q ]Ɋ&  !XQ* F&v FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=e1f892c8-a586-403b-a2c3-7818518fc833 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=veTyH -eq 6 } | F ]Ɋ& .DXQ* F&pe = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk**** "K{VMu=VysMc&&**H*Q ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! ) !XQ* F&F%g>9{p(xlMD EventDatauoData !Binaryv RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=e1f892c8-a586-403b-a2c3-7818518fc833 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=iH**H *Q ]Ɋ&  !XQ* F&x VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=e1f892c8-a586-403b-a2c3-7818518fc833 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t -H ** *Q ]Ɋ&  !Q* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=e1f892c8-a586-403b-a2c3-7818518fc833 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=6d883a90-840d-44b6-b8a3-88bf995ebcab PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t { ** *Q ]Ɋ&  !Q* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=e1f892c8-a586-403b-a2c3-7818518fc833 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $killed = 0 $myPid = $PID $threshold = (Get-Date).AddMinutes(-5) $neptunePattern = 'Microsoft\.Update\.Session|excludedKBs|IsInstalled=|IsHidden=|PSWindowsUpdate' $psProcs = Get-CimInstance Win32_Process -Filter "Name LIKE '%powershell%'" foreach ($proc in $psProcs) { if ($proc.ProcessId -eq $myPid) { continue } if ($proc.SessionId -ne 0) { continue } $ppid = $proc.ParentProcessId if (-not $ppid -or $ppid -le 0) { continue } $parent = Get-CimInstance Win32_Process -Filter "ProcessId = $ppid" -ErrorAction SilentlyContinue $shouldKill = $false if ($parent -and $parent.Name -like 'neptune-*') { if ($proc.CreationDate -and $proc.CreationDate -lt $threshold) { $shouldKill = $true } } elseif (-not $parent) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } elseif ($parent.CreationDate -and $proc.CreationDate -and $parent.CreationDate -gt $proc.CreationDate) { if ($proc.CommandLine -match $neptunePattern) { $shouldKill = $true } } if ($shouldKill) { try { Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion=4.0 RunspaceId=6d883a90-840d-44b6-b8a3-88bf995ebcab PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** *Q ]Ɋ& w !XQ* F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f2f4e8fb-82da-4b9e-ac4a-85bbe9a05515 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e **8*Q ]Ɋ&  !XQ* F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f2f4e8fb-82da-4b9e-ac4a-85bbe9a05515 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i8**8*Q ]Ɋ&  !XQ* F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f2f4e8fb-82da-4b9e-ac4a-85bbe9a05515 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=if 8**0*Q ]Ɋ&  !XQ* F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f2f4e8fb-82da-4b9e-ac4a-85bbe9a05515 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Tri0**0*Q ]Ɋ&  !XQ* F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f2f4e8fb-82da-4b9e-ac4a-85bbe9a05515 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=gge0**0*Q ]Ɋ&  !XQ* F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f2f4e8fb-82da-4b9e-ac4a-85bbe9a05515 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0***Q ]Ɋ&  !Q* F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f2f4e8fb-82da-4b9e-ac4a-85bbe9a05515 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3d5ca4c2-6384-4762-9dc9-650b13ae01d8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ge***R8Q ]Ɋ&  !R8Q* F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=f2f4e8fb-82da-4b9e-ac4a-85bbe9a05515 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3d5ca4c2-6384-4762-9dc9-650b13ae01d8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $e***R8Q ]Ɋ& K!XR8Q* F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ab6fed18-b8dd-42dd-9f59-54bd950f4acf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eli***R8Q ]Ɋ& c!XR8Q* F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ab6fed18-b8dd-42dd-9f59-54bd950f4acf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=edu***R8Q ]Ɋ& _!XR8Q* F&<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ab6fed18-b8dd-42dd-9f59-54bd950f4acf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ***R8Q ]Ɋ& W!XR8Q* F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ab6fed18-b8dd-42dd-9f59-54bd950f4acf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h***R8Q ]Ɋ& W!XR8Q* F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ab6fed18-b8dd-42dd-9f59-54bd950f4acf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e***R8Q ]Ɋ& Y!XR8Q* F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ab6fed18-b8dd-42dd-9f59-54bd950f4acf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ate **X*R8Q ]Ɋ& !R8Q* F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ab6fed18-b8dd-42dd-9f59-54bd950f4acf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=86398699-fbbc-41a4-a5f1-3becb7dc152a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=passX**`*R8Q ]Ɋ& !R8Q* F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ab6fed18-b8dd-42dd-9f59-54bd950f4acf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=86398699-fbbc-41a4-a5f1-3becb7dc152a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ne`** *R8Q ]Ɋ& w !XR8Q* F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=a79c91e1-e162-4acb-8040-2af412b5d18d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$ **8*R8Q ]Ɋ&  !XR8Q* F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=a79c91e1-e162-4acb-8040-2af412b5d18d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r8 } }  ]Ɋ& esXR8Q+ F&-ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=veTyH -eq 6 } | F ]Ɋ& .DXQ* F&pe = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk++++pMEzMu=VysMc&&**8+R8Q ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XR8Q+ F&F%g>9{p(xlMD EventDatauoData !Binaryh FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=a79c91e1-e162-4acb-8040-2af412b5d18d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=8**0+R8Q ]Ɋ&  !XR8Q+ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=a79c91e1-e162-4acb-8040-2af412b5d18d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hos0**0+R8Q ]Ɋ&  !XR8Q+ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=a79c91e1-e162-4acb-8040-2af412b5d18d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ll.0**0+R8Q ]Ɋ&  !XR8Q+ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=a79c91e1-e162-4acb-8040-2af412b5d18d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nc0**+R8Q ]Ɋ&  !R8Q+ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=a79c91e1-e162-4acb-8040-2af412b5d18d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3e01b837-b534-4993-804d-c141f4d535d8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=f **+Q ]Ɋ&  !Q+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=a79c91e1-e162-4acb-8040-2af412b5d18d HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=3e01b837-b534-4993-804d-c141f4d535d8 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=entl** +Q ]Ɋ&  !XQ+ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=f01ad0c6-30cf-4bc9-bdbf-3878c5654269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=u ** +Q ]Ɋ&  !XQ+ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=f01ad0c6-30cf-4bc9-bdbf-3878c5654269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o ** +Q ]Ɋ&  !XQ+ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=f01ad0c6-30cf-4bc9-bdbf-3878c5654269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ric ** +Q ]Ɋ&  !XQ + F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=f01ad0c6-30cf-4bc9-bdbf-3878c5654269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** +Q ]Ɋ&  !XQ + F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=f01ad0c6-30cf-4bc9-bdbf-3878c5654269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nce ** +Q ]Ɋ&  !XQ + F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=f01ad0c6-30cf-4bc9-bdbf-3878c5654269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $ ** +Q ]Ɋ& e !Q + F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=f01ad0c6-30cf-4bc9-bdbf-3878c5654269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=b0cae3cf-2506-47b7-b79b-781033a93d62 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=St **X +iQ ]Ɋ&  !XiQ + F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=0cd64c56-68ad-4523-8f17-8b491678d897 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=AlX**p+iQ ]Ɋ&  !XiQ+ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=0cd64c56-68ad-4523-8f17-8b491678d897 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=lDp**p+iQ ]Ɋ&  !XiQ+ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=0cd64c56-68ad-4523-8f17-8b491678d897 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndTyp**h+iQ ]Ɋ&  !XiQ+ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=0cd64c56-68ad-4523-8f17-8b491678d897 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=me=Ch**h+iQ ]Ɋ&  !XiQ+ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=0cd64c56-68ad-4523-8f17-8b491678d897 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $h**h+iQ ]Ɋ&  !XiQ+ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=0cd64c56-68ad-4523-8f17-8b491678d897 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -ChssName Win32 ]Ɋ& _.iQ+ F&teway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r8 } }  ]Ɋ& esXR8Q+ F&-ErrorAction Stop $killed++ } catch {} } } Write-Output $killed EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=veTyH -eq 6 } | F ]Ɋ& .DXQ* F&pe = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk+.++.+`p{eZ1P`Mu=VysMc&&**+iQ ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !iQ+ F&F%g>9{p(xlMD EventDatauoData !Binary AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=0cd64c56-68ad-4523-8f17-8b491678d897 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=804499c3-c52f-4303-beb5-6253cb7c1901 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**+iQ ]Ɋ& !iQ+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=0cd64c56-68ad-4523-8f17-8b491678d897 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=804499c3-c52f-4303-beb5-6253cb7c1901 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=r** +iQ ]Ɋ& q !iQ+ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=f01ad0c6-30cf-4bc9-bdbf-3878c5654269 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=b0cae3cf-2506-47b7-b79b-781033a93d62 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= $cf **X+iQ ]Ɋ&  !XiQ+ F& AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ec073dad-2f8c-474c-aab3-573bb9165343 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= -X**p+iQ ]Ɋ&  !XiQ+ F& EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ec073dad-2f8c-474c-aab3-573bb9165343 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=fip**p+iQ ]Ɋ&  !XiQ+ F& FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ec073dad-2f8c-474c-aab3-573bb9165343 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=etwop**h+iQ ]Ɋ&  !XiQ+ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ec073dad-2f8c-474c-aab3-573bb9165343 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Hosth**h+iQ ]Ɋ&  !XiQ+ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ec073dad-2f8c-474c-aab3-573bb9165343 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Infoh**h+iQ ]Ɋ&  !XiQ+ F& VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ec073dad-2f8c-474c-aab3-573bb9165343 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=erSh**+iQ ]Ɋ&  !iQ+ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ec073dad-2f8c-474c-aab3-573bb9165343 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=85f5bb0b-0cbc-4404-a1e2-19f6d4becfc7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **+iQ ]Ɋ& !iQ+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ec073dad-2f8c-474c-aab3-573bb9165343 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' try { $path = $env:NEPTUNE_CODESIGN_PATH if (-not $path) { throw 'Missing NEPTUNE_CODESIGN_PATH environment variable' } $sig = Get-AuthenticodeSignature -LiteralPath $path Write-Output "STATUS:$($sig.Status)" Write-Output "STATUSMESSAGE:$($sig.StatusMessage)" if ($sig.SignerCertificate) { Write-Output "SIGNERSUBJECT:$($sig.SignerCertificate.Subject)" Write-Output "SIGNERTHUMBPRINT:$($sig.SignerCertificate.Thumbprint)" } if ($sig.Status -eq 'Valid' -and $sig.SignerCertificate) { $cert = $sig.SignerCertificate # Get EKUs (Enhanced Key Usage extension OID = 2.5.29.37) $ekuExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq '2.5.29.37' } | Select-Object -First 1 $ekus = @() if ($ekuExt) { try { $ekuTyped = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$ekuExt if ($ekuTyped.EnhancedKeyUsages) { $ekus = $ekuTyped.EnhancedKeyUsages | ForEach-Object { $_.Value } } } catch { # Ignore and fall back to empty list } } Write-Output "EKUS:$($ekus -join ',')" } } catch { Write-Output "ERROR:$($_.Exception.Message)" exit 1 } EngineVersion=4.0 RunspaceId=85f5bb0b-0cbc-4404-a1e2-19f6d4becfc7 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=o**+iQ ]Ɋ& 7!XiQ+ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=ba3433cf-547b-4ed8-ac4b-7c6123faa4bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=s**+iQ ]Ɋ& O!XiQ+ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=ba3433cf-547b-4ed8-ac4b-7c6123faa4bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i** +iQ ]Ɋ& K!XiQ + F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=ba3433cf-547b-4ed8-ac4b-7c6123faa4bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ure**!+iQ ]Ɋ& C!XiQ!+ F& FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=ba3433cf-547b-4ed8-ac4b-7c6123faa4bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xt **"+iQ ]Ɋ& C!XiQ"+ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=ba3433cf-547b-4ed8-ac4b-7c6123faa4bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ad-**#+iQ ]Ɋ& E!XiQ#+ F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=ba3433cf-547b-4ed8-ac4b-7c6123faa4bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=En**@$+iQ ]Ɋ& !iQ$+ F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=ba3433cf-547b-4ed8-ac4b-7c6123faa4bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=08111e9c-fca6-4f73-a716-9f0a5c422e28 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=om@**P%+iQ ]Ɋ& !iQ%+ F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=ba3433cf-547b-4ed8-ac4b-7c6123faa4bf HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=08111e9c-fca6-4f73-a716-9f0a5c422e28 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=sig.P**H&+xlR ]Ɋ& !XxlR&+ F&|AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=67e40604-90a5-4abb-8fc7-4c7c960a2cbf HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=eH**`'+xlR ]Ɋ& !XxlR'+ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=67e40604-90a5-4abb-8fc7-4c7c960a2cbf HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=`**`(+xlR ]Ɋ& !XxlR(+ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=67e40604-90a5-4abb-8fc7-4c7c960a2cbf HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= `**X)+xlR ]Ɋ& !XxlR)+ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=67e40604-90a5-4abb-8fc7-4c7c960a2cbf HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=t -X**X*+xlR ]Ɋ& !XxlR*+ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=67e40604-90a5-4abb-8fc7-4c7c960a2cbf HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=xitX**X++xlR ]Ɋ& !XxlR++ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=67e40604-90a5-4abb-8fc7-4c7c960a2cbf HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nvX**,+xlR ]Ɋ& !xlR,+ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=67e40604-90a5-4abb-8fc7-4c7c960a2cbf HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=5d204a09-4905-4b70-b344-4535f50673c5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=d **-+pR ]Ɋ& K!XpR-+ F&(AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=29710425-f8bd-42d0-adc9-ed0f0f842f6f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Com**.+pR ]Ɋ& c!XpR.+ F&@EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=29710425-f8bd-42d0-adc9-ed0f0f842f6f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=kild Engine ]Ɋ& amXpR/+ F&e= CommandPath= CommandLine=veTyH -eq 6 } | F ]Ɋ& .DXQ* F&pe = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnk/+G+/+G+ CRfFMu=VysMc&&** /+pR ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XpR/+ F&F%g>9{p(xlMD EventDatauoData !Binary<FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=29710425-f8bd-42d0-adc9-ed0f0f842f6f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$( **0+pR ]Ɋ& W!XpR0+ F&4FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=29710425-f8bd-42d0-adc9-ed0f0f842f6f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=**1+pR ]Ɋ& W!XpR1+ F&4RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=29710425-f8bd-42d0-adc9-ed0f0f842f6f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=$**2+pR ]Ɋ& Y!XpR2+ F&6VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=29710425-f8bd-42d0-adc9-ed0f0f842f6f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **X3+pR ]Ɋ& !pR3+ F&AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=29710425-f8bd-42d0-adc9-ed0f0f842f6f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=1b2b8459-df0e-4c5d-a2ca-ef71bf19a52c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=EngiX**`4+pR ]Ɋ& !pR4+ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=29710425-f8bd-42d0-adc9-ed0f0f842f6f HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Get-WmiObject -Class Win32_LogicalDisk | Where-Object { $_.MediaType -eq 11 -or $_.DriveType -eq 6 } | ForEach-Object { [PSCustomObject]@{ Path = $_.DeviceID Size = $_.Size Type = if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion=4.0 RunspaceId=1b2b8459-df0e-4c5d-a2ca-ef71bf19a52c PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Un`** 5+pR ]Ɋ& w !XpR5+ F&T AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=b15787e4-5e27-4928-959a-c9b753b31350 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=j **86+pR ]Ɋ&  !XpR6+ F&l EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=b15787e4-5e27-4928-959a-c9b753b31350 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=h8**87+pR ]Ɋ&  !XpR7+ F&h FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=b15787e4-5e27-4928-959a-c9b753b31350 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 8**08+pR ]Ɋ&  !XpR8+ F&` FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=b15787e4-5e27-4928-959a-c9b753b31350 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ced0**09+pR ]Ɋ&  !XpR9+ F&` RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=b15787e4-5e27-4928-959a-c9b753b31350 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= 0**0:+pR ]Ɋ&  !XpR:+ F&b VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=b15787e4-5e27-4928-959a-c9b753b31350 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ag0**;+pR ]Ɋ&  !pR;+ F& AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=b15787e4-5e27-4928-959a-c9b753b31350 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=cde1665a-0b12-4331-afee-84661b7013ae PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=n]**<+R ]Ɋ&  !R<+ F& StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=16 HostName=ConsoleHost HostVersion=4.0 HostId=b15787e4-5e27-4928-959a-c9b753b31350 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command $ErrorActionPreference = 'Stop' $mac = $null try { if (Get-Command Get-NetRoute -ErrorAction SilentlyContinue) { $routes = Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Sort-Object RouteMetric,InterfaceMetric if ($routes -and (Get-Command Get-NetAdapter -ErrorAction SilentlyContinue)) { foreach ($route in $routes) { try { $adapter = Get-NetAdapter -InterfaceIndex $route.InterfaceIndex -ErrorAction SilentlyContinue | Select-Object -First 1 if ($adapter -and $adapter.MacAddress -and $adapter.MacAddress -ne '00-00-00-00-00-00') { $mac = $adapter.MacAddress break } } catch { # skip this route and try next } } } } } catch { # ignore and fall back } if (-not $mac) { try { if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { $cfg = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } else { $cfg = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -and $_.DefaultIPGateway -and $_.MACAddress } | Select-Object -First 1 } if ($cfg) { $mac = $cfg.MACAddress } } catch { # ignore } } if ($mac) { $mac } EngineVersion=4.0 RunspaceId=cde1665a-0b12-4331-afee-84661b7013ae PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X509** =+R ]Ɋ&  !XR=+ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=053ec491-05de-4ba6-9d4c-f18c5b02f670 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=i ** >+R ]Ɋ&  !XR>+ F&EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=053ec491-05de-4ba6-9d4c-f18c5b02f670 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** ?+R ]Ɋ&  !XR?+ F&FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=053ec491-05de-4ba6-9d4c-f18c5b02f670 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ame ** @+R ]Ɋ&  !XR@+ F&FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=053ec491-05de-4ba6-9d4c-f18c5b02f670 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=rit ** A+R ]Ɋ&  !XRA+ F&RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=053ec491-05de-4ba6-9d4c-f18c5b02f670 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=pow ** B+R ]Ɋ&  !XRB+ F&VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=053ec491-05de-4ba6-9d4c-f18c5b02f670 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= ** C+R ]Ɋ& e !RC+ F&B AvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=053ec491-05de-4ba6-9d4c-f18c5b02f670 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=e96dd04d-4864-4e55-b8bb-200ac7a64f55 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=nd ** D+FR ]Ɋ& q !FRD+ F&N StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=053ec491-05de-4ba6-9d4c-f18c5b02f670 HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { $adapters = Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} $dnsServers = @() $domains = @() foreach ($adapter in $adapters) { $dnsConfig = Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex -AddressFamily IPv4 if ($dnsConfig.ServerAddresses) { $dnsServers += $dnsConfig.ServerAddresses } } # Get domain info $computerInfo = Get-ComputerInfo if ($computerInfo.CsDomain) { $domains += $computerInfo.CsDomain } $result = @{ DNSServers = $dnsServers | Sort-Object | Get-Unique Domain = if ($domains.Count -gt 0) { $domains[0] } else { "" } } $result | ConvertTo-Json -Compress } catch { Write-Output "{""DNSServers"":[],""Domain"":""""}" } EngineVersion=4.0 RunspaceId=e96dd04d-4864-4e55-b8bb-200ac7a64f55 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=dLin **E+FR ]Ɋ& 7!XFRE+ F&AliasStarted ProviderName=Alias NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=4.0 HostId=5e300772-22b2-4edc-86cb-37aef6485b7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=a**F+FR ]Ɋ& O!XFRF+ F&,EnvironmentStarted ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=4.0 HostId=5e300772-22b2-4edc-86cb-37aef6485b7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=e**G+FR ]Ɋ& K!XFRG+ F&(FileSystemStarted ProviderName=FileSystem NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=4.0 HostId=5e300772-22b2-4edc-86cb-37aef6485b7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= - 6 } | F ] ]Ɋ& XXFRH+ F& if($_.MediaType -eq 11) {"ramdisk"} else {"removable"} } } | ConvertTo-Json -Compress EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=X5ElfChnkH+f+H+f+8ܠv' cfMu=VysMc&&** H+FR ]Ɋ&]Ɋ 7{#]AQM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAR{Provider/=KName PowerShellAMsaEventID') QualifiersdLevelE{Task$jKeywordsAP:; TimeCreated'cj<{ SystemTime .F EventRecordID FaChannelWindows PowerShell<:;nComputer FILF-APP-RECABV.SecurityyfLUserID ! !XFRH+ F&F%g>9{p(xlMD EventDatauoData !Binary FunctionStarted ProviderName=Function NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=4.0 HostId=5e300772-22b2-4edc-86cb-37aef6485b7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **I+FR ]Ɋ& C!XFRI+ F& RegistryStarted ProviderName=Registry NewProviderState=Started SequenceNumber=9 HostName=ConsoleHost HostVersion=4.0 HostId=5e300772-22b2-4edc-86cb-37aef6485b7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ndP**J+FR ]Ɋ& E!XFRJ+ F&"VariableStarted ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=5e300772-22b2-4edc-86cb-37aef6485b7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= **@K+FR ]Ɋ& !FRK+ F&rAvailableNone NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=4.0 HostId=5e300772-22b2-4edc-86cb-37aef6485b7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=797dc175-25b2-4b52-8da2-95dbcc0f1f5a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=@**PL+9R ]Ɋ& !9RL+ F&~StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=5e300772-22b2-4edc-86cb-37aef6485b7e HostApplication=powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command try { Get-NetNeighbor | Where-Object {$_.State -ne 'Unreachable' -and $_.LinkLayerAddress -ne ''} | Select-Object IPAddress, LinkLayerAddress, InterfaceAlias | ConvertTo-Json -Compress } catch { # Fallback to arp command Write-Output "[]" } EngineVersion=4.0 RunspaceId=797dc175-25b2-4b52-8da2-95dbcc0f1f5a PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=ine=P**M+4R ]Ɋ&  !4RM+ F&StoppedAvailable NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=4.0 HostId=67e40604-90a5-4abb-8fc7-4c7c960a2cbf HostApplication=powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Program Files\Neptune\bin\health-check.ps1 EngineVersion=4.0 RunspaceId=5d204a09-4905-4b70-b344-4535f50673c5 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=amdi**HN+